1 |
commit: c17970cb2afae09ea21a3630bbd02f7f0d402844 |
2 |
Author: David Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Wed Oct 11 14:59:08 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 29 12:59:50 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c17970cb |
7 |
|
8 |
policy for systemd-networkd |
9 |
|
10 |
Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working. |
11 |
|
12 |
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise. |
13 |
|
14 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
15 |
|
16 |
policy/modules/system/init.te | 1 + |
17 |
policy/modules/system/sysnetwork.fc | 2 + |
18 |
policy/modules/system/systemd.fc | 3 + |
19 |
policy/modules/system/systemd.if | 115 ++++++++++++++++++++++++++++++++++++ |
20 |
policy/modules/system/systemd.te | 70 ++++++++++++++++++++++ |
21 |
5 files changed, 191 insertions(+) |
22 |
|
23 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
24 |
index 350554d3..02a9e3b8 100644 |
25 |
--- a/policy/modules/system/init.te |
26 |
+++ b/policy/modules/system/init.te |
27 |
@@ -329,6 +329,7 @@ ifdef(`init_systemd',` |
28 |
files_create_all_pid_sockets(init_t) |
29 |
files_create_all_spool_sockets(init_t) |
30 |
files_create_lock_dirs(init_t) |
31 |
+ systemd_rw_networkd_netlink_route_sockets(init_t) |
32 |
files_delete_all_pids(init_t) |
33 |
files_delete_all_spool_sockets(init_t) |
34 |
files_exec_generic_pid_files(init_t) |
35 |
|
36 |
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
37 |
index c71281bd..3b532567 100644 |
38 |
--- a/policy/modules/system/sysnetwork.fc |
39 |
+++ b/policy/modules/system/sysnetwork.fc |
40 |
@@ -24,6 +24,8 @@ ifdef(`distro_debian',` |
41 |
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) |
42 |
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) |
43 |
|
44 |
+/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) |
45 |
+ |
46 |
ifdef(`distro_redhat',` |
47 |
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) |
48 |
/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) |
49 |
|
50 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
51 |
index c697a1c9..392b00b9 100644 |
52 |
--- a/policy/modules/system/systemd.fc |
53 |
+++ b/policy/modules/system/systemd.fc |
54 |
@@ -21,6 +21,7 @@ |
55 |
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0) |
56 |
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) |
57 |
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) |
58 |
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) |
59 |
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) |
60 |
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) |
61 |
|
62 |
@@ -34,6 +35,7 @@ |
63 |
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0) |
64 |
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) |
65 |
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) |
66 |
+/usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0) |
67 |
|
68 |
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) |
69 |
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) |
70 |
@@ -50,6 +52,7 @@ |
71 |
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
72 |
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) |
73 |
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) |
74 |
+/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) |
75 |
|
76 |
ifdef(`init_systemd',` |
77 |
/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) |
78 |
|
79 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
80 |
index 69669a1a..8f914837 100644 |
81 |
--- a/policy/modules/system/systemd.if |
82 |
+++ b/policy/modules/system/systemd.if |
83 |
@@ -390,6 +390,121 @@ interface(`systemd_relabelto_journal_files',` |
84 |
|
85 |
######################################## |
86 |
## <summary> |
87 |
+## Allow domain to read systemd_networkd_t unit files |
88 |
+## </summary> |
89 |
+## <param name="domain"> |
90 |
+## <summary> |
91 |
+## Domain allowed access. |
92 |
+## </summary> |
93 |
+## </param> |
94 |
+# |
95 |
+interface(`systemd_read_networkd_units',` |
96 |
+ gen_require(` |
97 |
+ type systemd_networkd_t; |
98 |
+ ') |
99 |
+ |
100 |
+ init_search_units($1) |
101 |
+ list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) |
102 |
+ read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) |
103 |
+') |
104 |
+ |
105 |
+######################################## |
106 |
+## <summary> |
107 |
+## Allow domain to create/manage systemd_networkd_t unit files |
108 |
+## </summary> |
109 |
+## <param name="domain"> |
110 |
+## <summary> |
111 |
+## Domain allowed access. |
112 |
+## </summary> |
113 |
+## </param> |
114 |
+# |
115 |
+interface(`systemd_manage_networkd_units',` |
116 |
+ gen_require(` |
117 |
+ type systemd_networkd_unit_t; |
118 |
+ ') |
119 |
+ |
120 |
+ init_search_units($1) |
121 |
+ manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) |
122 |
+ manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) |
123 |
+') |
124 |
+ |
125 |
+######################################## |
126 |
+## <summary> |
127 |
+## Allow specified domain to start systemd-networkd units |
128 |
+## </summary> |
129 |
+## <param name="domain"> |
130 |
+## <summary> |
131 |
+## Domain allowed access. |
132 |
+## </summary> |
133 |
+## </param> |
134 |
+# |
135 |
+interface(`systemd_startstop_networkd',` |
136 |
+ gen_require(` |
137 |
+ type systemd_networkd_unit_t; |
138 |
+ class service { start stop }; |
139 |
+ ') |
140 |
+ |
141 |
+ allow $1 systemd_networkd_unit_t:service { start stop }; |
142 |
+') |
143 |
+ |
144 |
+######################################## |
145 |
+## <summary> |
146 |
+## Allow specified domain to get status of systemd-networkd |
147 |
+## </summary> |
148 |
+## <param name="domain"> |
149 |
+## <summary> |
150 |
+## Domain allowed access. |
151 |
+## </summary> |
152 |
+## </param> |
153 |
+# |
154 |
+interface(`systemd_status_networkd',` |
155 |
+ gen_require(` |
156 |
+ type systemd_networkd_unit_t; |
157 |
+ class service status; |
158 |
+ ') |
159 |
+ |
160 |
+ allow $1 systemd_networkd_unit_t:service status; |
161 |
+') |
162 |
+ |
163 |
+####################################### |
164 |
+## <summary> |
165 |
+## Relabel systemd_networkd tun socket. |
166 |
+## </summary> |
167 |
+## <param name="domain"> |
168 |
+## <summary> |
169 |
+## Domain allowed access. |
170 |
+## </summary> |
171 |
+## </param> |
172 |
+# |
173 |
+interface(`systemd_relabelfrom_networkd_tun_sockets',` |
174 |
+ gen_require(` |
175 |
+ type systemd_networkd_t; |
176 |
+ ') |
177 |
+ |
178 |
+ allow $1 systemd_networkd_t:tun_socket relabelfrom; |
179 |
+') |
180 |
+ |
181 |
+####################################### |
182 |
+## <summary> |
183 |
+## Read/Write from systemd_networkd netlink route socket. |
184 |
+## </summary> |
185 |
+## <param name="domain"> |
186 |
+## <summary> |
187 |
+## Domain allowed access. |
188 |
+## </summary> |
189 |
+## </param> |
190 |
+# |
191 |
+interface(`systemd_rw_networkd_netlink_route_sockets',` |
192 |
+ gen_require(` |
193 |
+ type systemd_networkd_t; |
194 |
+ ') |
195 |
+ |
196 |
+ allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms; |
197 |
+') |
198 |
+ |
199 |
+ |
200 |
+######################################## |
201 |
+## <summary> |
202 |
## Allow systemd_logind_t to read process state for cgroup file |
203 |
## </summary> |
204 |
## <param name="domain"> |
205 |
|
206 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
207 |
index 74cfe704..56aa9198 100644 |
208 |
--- a/policy/modules/system/systemd.te |
209 |
+++ b/policy/modules/system/systemd.te |
210 |
@@ -109,6 +109,16 @@ type systemd_machined_var_run_t; |
211 |
files_pid_file(systemd_machined_var_run_t) |
212 |
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines") |
213 |
|
214 |
+type systemd_networkd_t; |
215 |
+type systemd_networkd_exec_t; |
216 |
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t) |
217 |
+ |
218 |
+type systemd_networkd_unit_t; |
219 |
+init_unit_file(systemd_networkd_unit_t) |
220 |
+ |
221 |
+type systemd_networkd_var_run_t; |
222 |
+files_pid_file(systemd_networkd_var_run_t) |
223 |
+ |
224 |
type systemd_notify_t; |
225 |
type systemd_notify_exec_t; |
226 |
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) |
227 |
@@ -516,6 +526,66 @@ optional_policy(` |
228 |
|
229 |
######################################## |
230 |
# |
231 |
+# networkd local policy |
232 |
+# |
233 |
+ |
234 |
+allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid }; |
235 |
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; |
236 |
+allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; |
237 |
+allow systemd_networkd_t self:packet_socket create_socket_perms; |
238 |
+allow systemd_networkd_t self:process { getcap setcap setfscreate }; |
239 |
+allow systemd_networkd_t self:rawip_socket create_socket_perms; |
240 |
+allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; |
241 |
+allow systemd_networkd_t self:udp_socket create_socket_perms; |
242 |
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; |
243 |
+ |
244 |
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) |
245 |
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) |
246 |
+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) |
247 |
+ |
248 |
+kernel_dgram_send(systemd_networkd_t) |
249 |
+kernel_read_system_state(systemd_networkd_t) |
250 |
+kernel_read_kernel_sysctls(systemd_networkd_t) |
251 |
+kernel_read_network_state(systemd_networkd_t) |
252 |
+kernel_request_load_module(systemd_networkd_t) |
253 |
+kernel_rw_net_sysctls(systemd_networkd_t) |
254 |
+ |
255 |
+corecmd_bin_entry_type(systemd_networkd_t) |
256 |
+corecmd_exec_bin(systemd_networkd_t) |
257 |
+ |
258 |
+corenet_rw_tun_tap_dev(systemd_networkd_t) |
259 |
+ |
260 |
+dev_read_urand(systemd_networkd_t) |
261 |
+dev_read_sysfs(systemd_networkd_t) |
262 |
+dev_write_kmsg(systemd_networkd_t) |
263 |
+ |
264 |
+files_read_etc_files(systemd_networkd_t) |
265 |
+ |
266 |
+auth_use_nsswitch(systemd_networkd_t) |
267 |
+ |
268 |
+init_dgram_send(systemd_networkd_t) |
269 |
+init_read_state(systemd_networkd_t) |
270 |
+ |
271 |
+logging_send_syslog_msg(systemd_networkd_t) |
272 |
+ |
273 |
+miscfiles_read_localization(systemd_networkd_t) |
274 |
+ |
275 |
+sysnet_read_config(systemd_networkd_t) |
276 |
+ |
277 |
+systemd_log_parse_environment(systemd_networkd_t) |
278 |
+ |
279 |
+optional_policy(` |
280 |
+ dbus_system_bus_client(systemd_networkd_t) |
281 |
+ dbus_connect_system_bus(systemd_networkd_t) |
282 |
+') |
283 |
+ |
284 |
+optional_policy(` |
285 |
+ udev_read_db(systemd_networkd_t) |
286 |
+ udev_read_pid_files(systemd_networkd_t) |
287 |
+') |
288 |
+ |
289 |
+######################################## |
290 |
+# |
291 |
# systemd_notify local policy |
292 |
# |
293 |
allow systemd_notify_t self:capability chown; |