1 |
commit: a223ccaf9ede7fc52fdb9d5ba5a62b0c8d72ae30 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Sat Apr 1 16:08:42 2017 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Apr 10 16:44:59 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a223ccaf |
7 |
|
8 |
systemd-nspawn again |
9 |
|
10 |
This patch doesn't do everything that is needed to have systemd-nspawn work. |
11 |
But it does everything that is needed and which I have written in a clear and |
12 |
uncontroversial way. I think it's best to get this upstream now and then |
13 |
either have a separate discussion about the more difficult issues, or wait |
14 |
until I devise a way of solving those problems that's not too hacky. |
15 |
|
16 |
Who knows, maybe someone else will devise a brilliant solution to the remaining |
17 |
issues after this is accepted upstream. |
18 |
|
19 |
Also there's a tiny patch for systemd_machined_t that is required by |
20 |
systemd_nspawn_t. |
21 |
|
22 |
Description: systemd-nspawn |
23 |
Author: Russell Coker <russell <AT> coker.com.au> |
24 |
Last-Update: 2017-03-29 |
25 |
|
26 |
policy/modules/kernel/devices.if | 36 ++++++++++ |
27 |
policy/modules/kernel/devices.te | 2 +- |
28 |
policy/modules/kernel/files.if | 18 +++++ |
29 |
policy/modules/kernel/files.te | 2 +- |
30 |
policy/modules/kernel/filesystem.if | 18 +++++ |
31 |
policy/modules/kernel/filesystem.te | 2 +- |
32 |
policy/modules/kernel/kernel.if | 135 ++++++++++++++++++++++++++++++++++++ |
33 |
policy/modules/kernel/kernel.te | 2 +- |
34 |
policy/modules/kernel/terminal.if | 18 +++++ |
35 |
policy/modules/kernel/terminal.te | 2 +- |
36 |
policy/modules/system/init.if | 48 +++++++------ |
37 |
policy/modules/system/init.te | 2 +- |
38 |
policy/modules/system/systemd.te | 119 ++++++++++++++++++++++++++++++- |
39 |
13 files changed, 375 insertions(+), 29 deletions(-) |
40 |
|
41 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
42 |
index c5af9342..1f1fbca6 100644 |
43 |
--- a/policy/modules/kernel/devices.if |
44 |
+++ b/policy/modules/kernel/devices.if |
45 |
@@ -4064,6 +4064,24 @@ interface(`dev_getattr_sysfs',` |
46 |
|
47 |
######################################## |
48 |
## <summary> |
49 |
+## mount a sysfs filesystem |
50 |
+## </summary> |
51 |
+## <param name="domain"> |
52 |
+## <summary> |
53 |
+## Domain allowed access. |
54 |
+## </summary> |
55 |
+## </param> |
56 |
+# |
57 |
+interface(`dev_mount_sysfs',` |
58 |
+ gen_require(` |
59 |
+ type sysfs_t; |
60 |
+ ') |
61 |
+ |
62 |
+ allow $1 sysfs_t:filesystem mount; |
63 |
+') |
64 |
+ |
65 |
+######################################## |
66 |
+## <summary> |
67 |
## Do not audit getting the attributes of sysfs filesystem |
68 |
## </summary> |
69 |
## <param name="domain"> |
70 |
@@ -4082,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',` |
71 |
|
72 |
######################################## |
73 |
## <summary> |
74 |
+## mounton sysfs directories. |
75 |
+## </summary> |
76 |
+## <param name="domain"> |
77 |
+## <summary> |
78 |
+## Domain allowed access. |
79 |
+## </summary> |
80 |
+## </param> |
81 |
+# |
82 |
+interface(`dev_mounton_sysfs_dirs',` |
83 |
+ gen_require(` |
84 |
+ type sysfs_t; |
85 |
+ ') |
86 |
+ |
87 |
+ allow $1 sysfs_t:dir mounton; |
88 |
+') |
89 |
+ |
90 |
+######################################## |
91 |
+## <summary> |
92 |
## Search the sysfs directories. |
93 |
## </summary> |
94 |
## <param name="domain"> |
95 |
|
96 |
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te |
97 |
index e15c26c3..277a6a19 100644 |
98 |
--- a/policy/modules/kernel/devices.te |
99 |
+++ b/policy/modules/kernel/devices.te |
100 |
@@ -1,4 +1,4 @@ |
101 |
-policy_module(devices, 1.20.5) |
102 |
+policy_module(devices, 1.20.6) |
103 |
|
104 |
######################################## |
105 |
# |
106 |
|
107 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
108 |
index 9d7a929a..9f9fdded 100644 |
109 |
--- a/policy/modules/kernel/files.if |
110 |
+++ b/policy/modules/kernel/files.if |
111 |
@@ -6340,6 +6340,24 @@ interface(`files_dontaudit_getattr_pid_dirs',` |
112 |
|
113 |
######################################## |
114 |
## <summary> |
115 |
+## mounton a /var/run directory. |
116 |
+## </summary> |
117 |
+## <param name="domain"> |
118 |
+## <summary> |
119 |
+## Domain allowed access. |
120 |
+## </summary> |
121 |
+## </param> |
122 |
+# |
123 |
+interface(`files_mounton_pid_dirs',` |
124 |
+ gen_require(` |
125 |
+ type var_run_t; |
126 |
+ ') |
127 |
+ |
128 |
+ allow $1 var_run_t:dir mounton; |
129 |
+') |
130 |
+ |
131 |
+######################################## |
132 |
+## <summary> |
133 |
## Set the attributes of the /var/run directory. |
134 |
## </summary> |
135 |
## <param name="domain"> |
136 |
|
137 |
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te |
138 |
index 10001b15..33c92c70 100644 |
139 |
--- a/policy/modules/kernel/files.te |
140 |
+++ b/policy/modules/kernel/files.te |
141 |
@@ -1,4 +1,4 @@ |
142 |
-policy_module(files, 1.23.8) |
143 |
+policy_module(files, 1.23.9) |
144 |
|
145 |
######################################## |
146 |
# |
147 |
|
148 |
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if |
149 |
index bba3e389..cfaa3e85 100644 |
150 |
--- a/policy/modules/kernel/filesystem.if |
151 |
+++ b/policy/modules/kernel/filesystem.if |
152 |
@@ -4160,6 +4160,24 @@ interface(`fs_mounton_tmpfs',` |
153 |
|
154 |
######################################## |
155 |
## <summary> |
156 |
+## Mount on tmpfs files. |
157 |
+## </summary> |
158 |
+## <param name="domain"> |
159 |
+## <summary> |
160 |
+## Domain allowed access. |
161 |
+## </summary> |
162 |
+## </param> |
163 |
+# |
164 |
+interface(`fs_mounton_tmpfs_files',` |
165 |
+ gen_require(` |
166 |
+ type tmpfs_t; |
167 |
+ ') |
168 |
+ |
169 |
+ allow $1 tmpfs_t:file mounton; |
170 |
+') |
171 |
+ |
172 |
+######################################## |
173 |
+## <summary> |
174 |
## Set the attributes of tmpfs directories. |
175 |
## </summary> |
176 |
## <param name="domain"> |
177 |
|
178 |
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te |
179 |
index 3194b0e0..11ada353 100644 |
180 |
--- a/policy/modules/kernel/filesystem.te |
181 |
+++ b/policy/modules/kernel/filesystem.te |
182 |
@@ -1,4 +1,4 @@ |
183 |
-policy_module(filesystem, 1.22.5) |
184 |
+policy_module(filesystem, 1.22.6) |
185 |
|
186 |
######################################## |
187 |
# |
188 |
|
189 |
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if |
190 |
index 6887b00d..cecf5d86 100644 |
191 |
--- a/policy/modules/kernel/kernel.if |
192 |
+++ b/policy/modules/kernel/kernel.if |
193 |
@@ -828,6 +828,42 @@ interface(`kernel_mount_kvmfs',` |
194 |
|
195 |
######################################## |
196 |
## <summary> |
197 |
+## mount the proc filesystem. |
198 |
+## </summary> |
199 |
+## <param name="domain"> |
200 |
+## <summary> |
201 |
+## Domain allowed access. |
202 |
+## </summary> |
203 |
+## </param> |
204 |
+# |
205 |
+interface(`kernel_mount_proc',` |
206 |
+ gen_require(` |
207 |
+ type proc_t; |
208 |
+ ') |
209 |
+ |
210 |
+ allow $1 proc_t:filesystem mount; |
211 |
+') |
212 |
+ |
213 |
+######################################## |
214 |
+## <summary> |
215 |
+## remount the proc filesystem. |
216 |
+## </summary> |
217 |
+## <param name="domain"> |
218 |
+## <summary> |
219 |
+## Domain allowed access. |
220 |
+## </summary> |
221 |
+## </param> |
222 |
+# |
223 |
+interface(`kernel_remount_proc',` |
224 |
+ gen_require(` |
225 |
+ type proc_t; |
226 |
+ ') |
227 |
+ |
228 |
+ allow $1 proc_t:filesystem remount; |
229 |
+') |
230 |
+ |
231 |
+######################################## |
232 |
+## <summary> |
233 |
## Unmount the proc filesystem. |
234 |
## </summary> |
235 |
## <param name="domain"> |
236 |
@@ -864,6 +900,25 @@ interface(`kernel_getattr_proc',` |
237 |
|
238 |
######################################## |
239 |
## <summary> |
240 |
+## Mount on proc directories. |
241 |
+## </summary> |
242 |
+## <param name="domain"> |
243 |
+## <summary> |
244 |
+## Domain allowed access. |
245 |
+## </summary> |
246 |
+## </param> |
247 |
+## <rolecap/> |
248 |
+# |
249 |
+interface(`kernel_mounton_proc',` |
250 |
+ gen_require(` |
251 |
+ type proc_t; |
252 |
+ ') |
253 |
+ |
254 |
+ allow $1 proc_t:dir mounton; |
255 |
+') |
256 |
+ |
257 |
+######################################## |
258 |
+## <summary> |
259 |
## Do not audit attempts to set the |
260 |
## attributes of directories in /proc. |
261 |
## </summary> |
262 |
@@ -1306,6 +1361,26 @@ interface(`kernel_dontaudit_getattr_message_if',` |
263 |
|
264 |
######################################## |
265 |
## <summary> |
266 |
+## Mount on kernel message interfaces files. |
267 |
+## </summary> |
268 |
+## <param name="domain"> |
269 |
+## <summary> |
270 |
+## Domain allowed access. |
271 |
+## </summary> |
272 |
+## </param> |
273 |
+## <rolecap/> |
274 |
+# |
275 |
+interface(`kernel_mounton_message_if',` |
276 |
+ gen_require(` |
277 |
+ type proc_t, proc_kmsg_t; |
278 |
+ ') |
279 |
+ |
280 |
+ allow $1 proc_t:dir list_dir_perms; |
281 |
+ allow $1 proc_kmsg_t:file { getattr mounton }; |
282 |
+') |
283 |
+ |
284 |
+######################################## |
285 |
+## <summary> |
286 |
## Do not audit attempts to search the network |
287 |
## state directory. |
288 |
## </summary> |
289 |
@@ -1557,6 +1632,26 @@ interface(`kernel_dontaudit_search_sysctl',` |
290 |
|
291 |
######################################## |
292 |
## <summary> |
293 |
+## Mount on sysctl_t dirs. |
294 |
+## </summary> |
295 |
+## <param name="domain"> |
296 |
+## <summary> |
297 |
+## Domain allowed access. |
298 |
+## </summary> |
299 |
+## </param> |
300 |
+## <rolecap/> |
301 |
+# |
302 |
+interface(`kernel_mounton_sysctl_dirs',` |
303 |
+ gen_require(` |
304 |
+ type proc_t, sysctl_t; |
305 |
+ ') |
306 |
+ |
307 |
+ allow $1 proc_t:dir list_dir_perms; |
308 |
+ allow $1 sysctl_t:dir { getattr mounton }; |
309 |
+') |
310 |
+ |
311 |
+######################################## |
312 |
+## <summary> |
313 |
## Allow access to read sysctl directories. |
314 |
## </summary> |
315 |
## <param name="domain"> |
316 |
@@ -1577,6 +1672,26 @@ interface(`kernel_read_sysctl',` |
317 |
|
318 |
######################################## |
319 |
## <summary> |
320 |
+## Mount on sysctl files. |
321 |
+## </summary> |
322 |
+## <param name="domain"> |
323 |
+## <summary> |
324 |
+## Domain allowed access. |
325 |
+## </summary> |
326 |
+## </param> |
327 |
+## <rolecap/> |
328 |
+# |
329 |
+interface(`kernel_mounton_sysctl_files',` |
330 |
+ gen_require(` |
331 |
+ type proc_t, sysctl_t; |
332 |
+ ') |
333 |
+ |
334 |
+ allow $1 { proc_t sysctl_t }:dir list_dir_perms; |
335 |
+ allow $1 sysctl_t:file { getattr mounton }; |
336 |
+') |
337 |
+ |
338 |
+######################################## |
339 |
+## <summary> |
340 |
## Allow caller to read the device sysctls. |
341 |
## </summary> |
342 |
## <param name="domain"> |
343 |
@@ -2021,6 +2136,26 @@ interface(`kernel_rw_kernel_sysctl',` |
344 |
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) |
345 |
') |
346 |
|
347 |
+####################################### |
348 |
+## <summary> |
349 |
+## Mount on kernel sysctl files. |
350 |
+## </summary> |
351 |
+## <param name="domain"> |
352 |
+## <summary> |
353 |
+## Domain allowed access. |
354 |
+## </summary> |
355 |
+## </param> |
356 |
+## <rolecap/> |
357 |
+# |
358 |
+interface(`kernel_mounton_kernel_sysctl_files',` |
359 |
+ gen_require(` |
360 |
+ type proc_t, sysctl_t, sysctl_kernel_t; |
361 |
+ ') |
362 |
+ |
363 |
+ allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms; |
364 |
+ allow $1 sysctl_kernel_t:file { getattr mounton }; |
365 |
+') |
366 |
+ |
367 |
######################################## |
368 |
## <summary> |
369 |
## Search filesystem sysctl directories. |
370 |
|
371 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
372 |
index 034d6a0b..639b8454 100644 |
373 |
--- a/policy/modules/kernel/kernel.te |
374 |
+++ b/policy/modules/kernel/kernel.te |
375 |
@@ -1,4 +1,4 @@ |
376 |
-policy_module(kernel, 1.22.0) |
377 |
+policy_module(kernel, 1.22.1) |
378 |
|
379 |
######################################## |
380 |
# |
381 |
|
382 |
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if |
383 |
index 05be0475..d72775c0 100644 |
384 |
--- a/policy/modules/kernel/terminal.if |
385 |
+++ b/policy/modules/kernel/terminal.if |
386 |
@@ -133,6 +133,24 @@ interface(`term_user_tty',` |
387 |
|
388 |
######################################## |
389 |
## <summary> |
390 |
+## mount a devpts_t filesystem |
391 |
+## </summary> |
392 |
+## <param name="domain"> |
393 |
+## <summary> |
394 |
+## The type of the process to mount it |
395 |
+## </summary> |
396 |
+## </param> |
397 |
+# |
398 |
+interface(`term_mount_devpts',` |
399 |
+ gen_require(` |
400 |
+ type devpts_t; |
401 |
+ ') |
402 |
+ |
403 |
+ allow $1 devpts_t:filesystem mount; |
404 |
+') |
405 |
+ |
406 |
+######################################## |
407 |
+## <summary> |
408 |
## Create a pty in the /dev/pts directory. |
409 |
## </summary> |
410 |
## <param name="domain"> |
411 |
|
412 |
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te |
413 |
index b77752b5..a1fca0da 100644 |
414 |
--- a/policy/modules/kernel/terminal.te |
415 |
+++ b/policy/modules/kernel/terminal.te |
416 |
@@ -1,4 +1,4 @@ |
417 |
-policy_module(terminal, 1.16.1) |
418 |
+policy_module(terminal, 1.16.2) |
419 |
|
420 |
######################################## |
421 |
# |
422 |
|
423 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
424 |
index 9b07a6e7..e42a7db5 100644 |
425 |
--- a/policy/modules/system/init.if |
426 |
+++ b/policy/modules/system/init.if |
427 |
@@ -828,6 +828,7 @@ interface(`init_dgram_send',` |
428 |
|
429 |
dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) |
430 |
files_search_pids($1) |
431 |
+ allow $1 init_t:unix_stream_socket getattr; |
432 |
') |
433 |
|
434 |
######################################## |
435 |
@@ -1111,21 +1112,6 @@ interface(`init_relabel_var_lib_dirs',` |
436 |
## Domain allowed access. |
437 |
## </summary> |
438 |
## </param> |
439 |
-## <param name="file_type"> |
440 |
-## <summary> |
441 |
-## The type of the object to be created |
442 |
-## </summary> |
443 |
-## </param> |
444 |
-## <param name="object_class"> |
445 |
-## <summary> |
446 |
-## The object class. |
447 |
-## </summary> |
448 |
-## </param> |
449 |
-## <param name="name" optional="true"> |
450 |
-## <summary> |
451 |
-## The name of the object being created. |
452 |
-## </summary> |
453 |
-## </param> |
454 |
# |
455 |
interface(`init_manage_var_lib_files',` |
456 |
gen_require(` |
457 |
@@ -1513,6 +1499,24 @@ interface(`init_script_file_domtrans',` |
458 |
|
459 |
######################################## |
460 |
## <summary> |
461 |
+## Send a kill signal to init scripts. |
462 |
+## </summary> |
463 |
+## <param name="domain"> |
464 |
+## <summary> |
465 |
+## Domain allowed access. |
466 |
+## </summary> |
467 |
+## </param> |
468 |
+# |
469 |
+interface(`init_kill_scripts',` |
470 |
+ gen_require(` |
471 |
+ type initrc_t; |
472 |
+ ') |
473 |
+ |
474 |
+ allow $1 initrc_t:process sigkill; |
475 |
+') |
476 |
+ |
477 |
+######################################## |
478 |
+## <summary> |
479 |
## Allow manage service for initrc_exec_t scripts |
480 |
## </summary> |
481 |
## <param name="domain"> |
482 |
@@ -1662,14 +1666,14 @@ interface(`init_startstop_service',` |
483 |
# |
484 |
interface(`init_run_daemon',` |
485 |
gen_require(` |
486 |
- attribute init_script_file_type; |
487 |
+ attribute init_script_file_type; |
488 |
role system_r; |
489 |
') |
490 |
|
491 |
allow $2 system_r; |
492 |
|
493 |
- init_all_labeled_script_domtrans($1) |
494 |
- role_transition $2 init_script_file_type system_r; |
495 |
+ init_all_labeled_script_domtrans($1) |
496 |
+ role_transition $2 init_script_file_type system_r; |
497 |
') |
498 |
|
499 |
######################################## |
500 |
@@ -2649,11 +2653,11 @@ interface(`init_delete_pid_files',` |
501 |
## </param> |
502 |
# |
503 |
interface(`init_write_pid_socket',` |
504 |
- gen_require(` |
505 |
- type init_var_run_t; |
506 |
- ') |
507 |
+ gen_require(` |
508 |
+ type init_var_run_t; |
509 |
+ ') |
510 |
|
511 |
- allow $1 init_var_run_t:sock_file write; |
512 |
+ allow $1 init_var_run_t:sock_file write; |
513 |
') |
514 |
|
515 |
######################################## |
516 |
|
517 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
518 |
index dfde3f39..a0a1723c 100644 |
519 |
--- a/policy/modules/system/init.te |
520 |
+++ b/policy/modules/system/init.te |
521 |
@@ -1,4 +1,4 @@ |
522 |
-policy_module(init, 2.2.13) |
523 |
+policy_module(init, 2.2.14) |
524 |
|
525 |
gen_require(` |
526 |
class passwd rootok; |
527 |
|
528 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
529 |
index e1f4c3a7..672d289d 100644 |
530 |
--- a/policy/modules/system/systemd.te |
531 |
+++ b/policy/modules/system/systemd.te |
532 |
@@ -1,4 +1,4 @@ |
533 |
-policy_module(systemd, 1.3.14) |
534 |
+policy_module(systemd, 1.3.15) |
535 |
|
536 |
######################################### |
537 |
# |
538 |
@@ -472,6 +472,9 @@ init_service_start(systemd_machined_t) |
539 |
init_service_status(systemd_machined_t) |
540 |
init_start_system(systemd_machined_t) |
541 |
init_stop_system(systemd_machined_t) |
542 |
+init_get_generic_units_status(systemd_machined_t) |
543 |
+init_start_generic_units(systemd_machined_t) |
544 |
+init_stop_generic_units(systemd_machined_t) |
545 |
|
546 |
logging_send_syslog_msg(systemd_machined_t) |
547 |
|
548 |
@@ -513,8 +516,122 @@ miscfiles_read_localization(systemd_notify_t) |
549 |
# Nspawn local policy |
550 |
# |
551 |
|
552 |
+allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill }; |
553 |
+allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; |
554 |
+allow systemd_nspawn_t self:capability2 wake_alarm; |
555 |
+allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; |
556 |
+ |
557 |
+allow systemd_nspawn_t systemd_journal_t:dir search; |
558 |
+ |
559 |
+allow systemd_nspawn_t systemd_machined_t:dbus send_msg; |
560 |
+ |
561 |
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms; |
562 |
+allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; |
563 |
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) |
564 |
|
565 |
+# for /run/systemd/nspawn/incoming in chroot |
566 |
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; |
567 |
+ |
568 |
+kernel_mount_proc(systemd_nspawn_t) |
569 |
+kernel_mounton_sysctl_dirs(systemd_nspawn_t) |
570 |
+kernel_mounton_kernel_sysctl_files(systemd_nspawn_t) |
571 |
+kernel_mounton_message_if(systemd_nspawn_t) |
572 |
+kernel_mounton_proc(systemd_nspawn_t) |
573 |
+kernel_mounton_sysctl_dirs(systemd_nspawn_t) |
574 |
+kernel_read_kernel_sysctls(systemd_nspawn_t) |
575 |
+kernel_read_system_state(systemd_nspawn_t) |
576 |
+kernel_remount_proc(systemd_nspawn_t) |
577 |
+kernel_unconfined(systemd_nspawn_t) |
578 |
+ |
579 |
+corecmd_exec_shell(systemd_nspawn_t) |
580 |
+corecmd_search_bin(systemd_nspawn_t) |
581 |
+ |
582 |
+corenet_rw_tun_tap_dev(systemd_nspawn_t) |
583 |
+ |
584 |
+dev_getattr_fs(systemd_nspawn_t) |
585 |
+dev_manage_sysfs_dirs(systemd_nspawn_t) |
586 |
+dev_mounton_sysfs_dirs(systemd_nspawn_t) |
587 |
+dev_mount_sysfs(systemd_nspawn_t) |
588 |
+dev_read_rand(systemd_nspawn_t) |
589 |
+dev_read_urand(systemd_nspawn_t) |
590 |
+ |
591 |
+files_getattr_tmp_dirs(systemd_nspawn_t) |
592 |
+files_manage_etc_files(systemd_nspawn_t) |
593 |
+files_manage_mnt_dirs(systemd_nspawn_t) |
594 |
+files_mounton_mnt(systemd_nspawn_t) |
595 |
+files_mounton_root(systemd_nspawn_t) |
596 |
+files_mounton_tmp(systemd_nspawn_t) |
597 |
+files_setattr_pid_dirs(systemd_nspawn_t) |
598 |
+ |
599 |
+fs_getattr_tmpfs(systemd_nspawn_t) |
600 |
+fs_manage_tmpfs_chr_files(systemd_nspawn_t) |
601 |
+fs_mount_tmpfs(systemd_nspawn_t) |
602 |
+fs_remount_tmpfs(systemd_nspawn_t) |
603 |
+fs_search_cgroup_dirs(systemd_nspawn_t) |
604 |
+ |
605 |
+term_getattr_generic_ptys(systemd_nspawn_t) |
606 |
+term_getattr_pty_fs(systemd_nspawn_t) |
607 |
+term_mount_devpts(systemd_nspawn_t) |
608 |
+term_search_ptys(systemd_nspawn_t) |
609 |
+term_setattr_generic_ptys(systemd_nspawn_t) |
610 |
+term_use_ptmx(systemd_nspawn_t) |
611 |
+ |
612 |
+init_domtrans_script(systemd_nspawn_t) |
613 |
+init_kill_scripts(systemd_nspawn_t) |
614 |
+init_read_state(systemd_nspawn_t) |
615 |
+init_search_run(systemd_nspawn_t) |
616 |
+init_write_pid_socket(systemd_nspawn_t) |
617 |
+init_spec_domtrans_script(systemd_nspawn_t) |
618 |
+ |
619 |
+miscfiles_manage_localization(systemd_nspawn_t) |
620 |
+ |
621 |
+# for writing inside chroot |
622 |
+sysnet_manage_config(systemd_nspawn_t) |
623 |
+ |
624 |
+userdom_manage_user_home_dirs(systemd_nspawn_t) |
625 |
+ |
626 |
+tunable_policy(`systemd_nspawn_labeled_namespace',` |
627 |
+ corecmd_exec_shell(systemd_nspawn_t) |
628 |
+ |
629 |
+ dev_mounton(systemd_nspawn_t) |
630 |
+ dev_setattr_generic_dirs(systemd_nspawn_t) |
631 |
+ |
632 |
+ files_search_home(systemd_nspawn_t) |
633 |
+ files_mounton_pid_dirs(systemd_nspawn_t) |
634 |
+ |
635 |
+ fs_getattr_cgroup(systemd_nspawn_t) |
636 |
+ fs_manage_cgroup_dirs(systemd_nspawn_t) |
637 |
+ fs_manage_tmpfs_dirs(systemd_nspawn_t) |
638 |
+ fs_manage_tmpfs_files(systemd_nspawn_t) |
639 |
+ fs_manage_tmpfs_symlinks(systemd_nspawn_t) |
640 |
+ fs_mount_cgroup(systemd_nspawn_t) |
641 |
+ fs_mounton_cgroup(systemd_nspawn_t) |
642 |
+ fs_mounton_tmpfs(systemd_nspawn_t) |
643 |
+ fs_mounton_tmpfs_files(systemd_nspawn_t) |
644 |
+ fs_remount_cgroup(systemd_nspawn_t) |
645 |
+ fs_search_tmpfs(systemd_nspawn_t) |
646 |
+ fs_write_cgroup_files(systemd_nspawn_t) |
647 |
+ |
648 |
+ selinux_getattr_fs(systemd_nspawn_t) |
649 |
+ selinux_search_fs(systemd_nspawn_t) |
650 |
+ |
651 |
+ init_domtrans(systemd_nspawn_t) |
652 |
+ |
653 |
+ logging_search_logs(systemd_nspawn_t) |
654 |
+ |
655 |
+ seutil_search_default_contexts(systemd_nspawn_t) |
656 |
+') |
657 |
+ |
658 |
+optional_policy(` |
659 |
+ allow systemd_machined_t systemd_nspawn_t:dbus send_msg; |
660 |
+ |
661 |
+ dbus_system_bus_client(systemd_nspawn_t) |
662 |
+') |
663 |
+ |
664 |
+optional_policy(` |
665 |
+ virt_manage_virt_content(systemd_nspawn_t) |
666 |
+') |
667 |
+ |
668 |
####################################### |
669 |
# |
670 |
# systemd_passwd_agent_t local policy |