| 1 |
commit: c17970cb2afae09ea21a3630bbd02f7f0d402844 |
| 2 |
Author: David Sugar <dsugar <AT> tresys <DOT> com> |
| 3 |
AuthorDate: Wed Oct 11 14:59:08 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Oct 29 12:59:50 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c17970cb |
| 7 |
|
| 8 |
policy for systemd-networkd |
| 9 |
|
| 10 |
Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working. |
| 11 |
|
| 12 |
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise. |
| 13 |
|
| 14 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
| 15 |
|
| 16 |
policy/modules/system/init.te | 1 + |
| 17 |
policy/modules/system/sysnetwork.fc | 2 + |
| 18 |
policy/modules/system/systemd.fc | 3 + |
| 19 |
policy/modules/system/systemd.if | 115 ++++++++++++++++++++++++++++++++++++ |
| 20 |
policy/modules/system/systemd.te | 70 ++++++++++++++++++++++ |
| 21 |
5 files changed, 191 insertions(+) |
| 22 |
|
| 23 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 24 |
index 350554d3..02a9e3b8 100644 |
| 25 |
--- a/policy/modules/system/init.te |
| 26 |
+++ b/policy/modules/system/init.te |
| 27 |
@@ -329,6 +329,7 @@ ifdef(`init_systemd',` |
| 28 |
files_create_all_pid_sockets(init_t) |
| 29 |
files_create_all_spool_sockets(init_t) |
| 30 |
files_create_lock_dirs(init_t) |
| 31 |
+ systemd_rw_networkd_netlink_route_sockets(init_t) |
| 32 |
files_delete_all_pids(init_t) |
| 33 |
files_delete_all_spool_sockets(init_t) |
| 34 |
files_exec_generic_pid_files(init_t) |
| 35 |
|
| 36 |
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
| 37 |
index c71281bd..3b532567 100644 |
| 38 |
--- a/policy/modules/system/sysnetwork.fc |
| 39 |
+++ b/policy/modules/system/sysnetwork.fc |
| 40 |
@@ -24,6 +24,8 @@ ifdef(`distro_debian',` |
| 41 |
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) |
| 42 |
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) |
| 43 |
|
| 44 |
+/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) |
| 45 |
+ |
| 46 |
ifdef(`distro_redhat',` |
| 47 |
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) |
| 48 |
/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) |
| 49 |
|
| 50 |
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc |
| 51 |
index c697a1c9..392b00b9 100644 |
| 52 |
--- a/policy/modules/system/systemd.fc |
| 53 |
+++ b/policy/modules/system/systemd.fc |
| 54 |
@@ -21,6 +21,7 @@ |
| 55 |
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0) |
| 56 |
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) |
| 57 |
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) |
| 58 |
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) |
| 59 |
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) |
| 60 |
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) |
| 61 |
|
| 62 |
@@ -34,6 +35,7 @@ |
| 63 |
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0) |
| 64 |
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) |
| 65 |
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) |
| 66 |
+/usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0) |
| 67 |
|
| 68 |
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) |
| 69 |
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) |
| 70 |
@@ -50,6 +52,7 @@ |
| 71 |
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) |
| 72 |
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) |
| 73 |
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) |
| 74 |
+/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) |
| 75 |
|
| 76 |
ifdef(`init_systemd',` |
| 77 |
/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) |
| 78 |
|
| 79 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
| 80 |
index 69669a1a..8f914837 100644 |
| 81 |
--- a/policy/modules/system/systemd.if |
| 82 |
+++ b/policy/modules/system/systemd.if |
| 83 |
@@ -390,6 +390,121 @@ interface(`systemd_relabelto_journal_files',` |
| 84 |
|
| 85 |
######################################## |
| 86 |
## <summary> |
| 87 |
+## Allow domain to read systemd_networkd_t unit files |
| 88 |
+## </summary> |
| 89 |
+## <param name="domain"> |
| 90 |
+## <summary> |
| 91 |
+## Domain allowed access. |
| 92 |
+## </summary> |
| 93 |
+## </param> |
| 94 |
+# |
| 95 |
+interface(`systemd_read_networkd_units',` |
| 96 |
+ gen_require(` |
| 97 |
+ type systemd_networkd_t; |
| 98 |
+ ') |
| 99 |
+ |
| 100 |
+ init_search_units($1) |
| 101 |
+ list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) |
| 102 |
+ read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) |
| 103 |
+') |
| 104 |
+ |
| 105 |
+######################################## |
| 106 |
+## <summary> |
| 107 |
+## Allow domain to create/manage systemd_networkd_t unit files |
| 108 |
+## </summary> |
| 109 |
+## <param name="domain"> |
| 110 |
+## <summary> |
| 111 |
+## Domain allowed access. |
| 112 |
+## </summary> |
| 113 |
+## </param> |
| 114 |
+# |
| 115 |
+interface(`systemd_manage_networkd_units',` |
| 116 |
+ gen_require(` |
| 117 |
+ type systemd_networkd_unit_t; |
| 118 |
+ ') |
| 119 |
+ |
| 120 |
+ init_search_units($1) |
| 121 |
+ manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) |
| 122 |
+ manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) |
| 123 |
+') |
| 124 |
+ |
| 125 |
+######################################## |
| 126 |
+## <summary> |
| 127 |
+## Allow specified domain to start systemd-networkd units |
| 128 |
+## </summary> |
| 129 |
+## <param name="domain"> |
| 130 |
+## <summary> |
| 131 |
+## Domain allowed access. |
| 132 |
+## </summary> |
| 133 |
+## </param> |
| 134 |
+# |
| 135 |
+interface(`systemd_startstop_networkd',` |
| 136 |
+ gen_require(` |
| 137 |
+ type systemd_networkd_unit_t; |
| 138 |
+ class service { start stop }; |
| 139 |
+ ') |
| 140 |
+ |
| 141 |
+ allow $1 systemd_networkd_unit_t:service { start stop }; |
| 142 |
+') |
| 143 |
+ |
| 144 |
+######################################## |
| 145 |
+## <summary> |
| 146 |
+## Allow specified domain to get status of systemd-networkd |
| 147 |
+## </summary> |
| 148 |
+## <param name="domain"> |
| 149 |
+## <summary> |
| 150 |
+## Domain allowed access. |
| 151 |
+## </summary> |
| 152 |
+## </param> |
| 153 |
+# |
| 154 |
+interface(`systemd_status_networkd',` |
| 155 |
+ gen_require(` |
| 156 |
+ type systemd_networkd_unit_t; |
| 157 |
+ class service status; |
| 158 |
+ ') |
| 159 |
+ |
| 160 |
+ allow $1 systemd_networkd_unit_t:service status; |
| 161 |
+') |
| 162 |
+ |
| 163 |
+####################################### |
| 164 |
+## <summary> |
| 165 |
+## Relabel systemd_networkd tun socket. |
| 166 |
+## </summary> |
| 167 |
+## <param name="domain"> |
| 168 |
+## <summary> |
| 169 |
+## Domain allowed access. |
| 170 |
+## </summary> |
| 171 |
+## </param> |
| 172 |
+# |
| 173 |
+interface(`systemd_relabelfrom_networkd_tun_sockets',` |
| 174 |
+ gen_require(` |
| 175 |
+ type systemd_networkd_t; |
| 176 |
+ ') |
| 177 |
+ |
| 178 |
+ allow $1 systemd_networkd_t:tun_socket relabelfrom; |
| 179 |
+') |
| 180 |
+ |
| 181 |
+####################################### |
| 182 |
+## <summary> |
| 183 |
+## Read/Write from systemd_networkd netlink route socket. |
| 184 |
+## </summary> |
| 185 |
+## <param name="domain"> |
| 186 |
+## <summary> |
| 187 |
+## Domain allowed access. |
| 188 |
+## </summary> |
| 189 |
+## </param> |
| 190 |
+# |
| 191 |
+interface(`systemd_rw_networkd_netlink_route_sockets',` |
| 192 |
+ gen_require(` |
| 193 |
+ type systemd_networkd_t; |
| 194 |
+ ') |
| 195 |
+ |
| 196 |
+ allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms; |
| 197 |
+') |
| 198 |
+ |
| 199 |
+ |
| 200 |
+######################################## |
| 201 |
+## <summary> |
| 202 |
## Allow systemd_logind_t to read process state for cgroup file |
| 203 |
## </summary> |
| 204 |
## <param name="domain"> |
| 205 |
|
| 206 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 207 |
index 74cfe704..56aa9198 100644 |
| 208 |
--- a/policy/modules/system/systemd.te |
| 209 |
+++ b/policy/modules/system/systemd.te |
| 210 |
@@ -109,6 +109,16 @@ type systemd_machined_var_run_t; |
| 211 |
files_pid_file(systemd_machined_var_run_t) |
| 212 |
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines") |
| 213 |
|
| 214 |
+type systemd_networkd_t; |
| 215 |
+type systemd_networkd_exec_t; |
| 216 |
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t) |
| 217 |
+ |
| 218 |
+type systemd_networkd_unit_t; |
| 219 |
+init_unit_file(systemd_networkd_unit_t) |
| 220 |
+ |
| 221 |
+type systemd_networkd_var_run_t; |
| 222 |
+files_pid_file(systemd_networkd_var_run_t) |
| 223 |
+ |
| 224 |
type systemd_notify_t; |
| 225 |
type systemd_notify_exec_t; |
| 226 |
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) |
| 227 |
@@ -516,6 +526,66 @@ optional_policy(` |
| 228 |
|
| 229 |
######################################## |
| 230 |
# |
| 231 |
+# networkd local policy |
| 232 |
+# |
| 233 |
+ |
| 234 |
+allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid }; |
| 235 |
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; |
| 236 |
+allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; |
| 237 |
+allow systemd_networkd_t self:packet_socket create_socket_perms; |
| 238 |
+allow systemd_networkd_t self:process { getcap setcap setfscreate }; |
| 239 |
+allow systemd_networkd_t self:rawip_socket create_socket_perms; |
| 240 |
+allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; |
| 241 |
+allow systemd_networkd_t self:udp_socket create_socket_perms; |
| 242 |
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; |
| 243 |
+ |
| 244 |
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) |
| 245 |
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) |
| 246 |
+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) |
| 247 |
+ |
| 248 |
+kernel_dgram_send(systemd_networkd_t) |
| 249 |
+kernel_read_system_state(systemd_networkd_t) |
| 250 |
+kernel_read_kernel_sysctls(systemd_networkd_t) |
| 251 |
+kernel_read_network_state(systemd_networkd_t) |
| 252 |
+kernel_request_load_module(systemd_networkd_t) |
| 253 |
+kernel_rw_net_sysctls(systemd_networkd_t) |
| 254 |
+ |
| 255 |
+corecmd_bin_entry_type(systemd_networkd_t) |
| 256 |
+corecmd_exec_bin(systemd_networkd_t) |
| 257 |
+ |
| 258 |
+corenet_rw_tun_tap_dev(systemd_networkd_t) |
| 259 |
+ |
| 260 |
+dev_read_urand(systemd_networkd_t) |
| 261 |
+dev_read_sysfs(systemd_networkd_t) |
| 262 |
+dev_write_kmsg(systemd_networkd_t) |
| 263 |
+ |
| 264 |
+files_read_etc_files(systemd_networkd_t) |
| 265 |
+ |
| 266 |
+auth_use_nsswitch(systemd_networkd_t) |
| 267 |
+ |
| 268 |
+init_dgram_send(systemd_networkd_t) |
| 269 |
+init_read_state(systemd_networkd_t) |
| 270 |
+ |
| 271 |
+logging_send_syslog_msg(systemd_networkd_t) |
| 272 |
+ |
| 273 |
+miscfiles_read_localization(systemd_networkd_t) |
| 274 |
+ |
| 275 |
+sysnet_read_config(systemd_networkd_t) |
| 276 |
+ |
| 277 |
+systemd_log_parse_environment(systemd_networkd_t) |
| 278 |
+ |
| 279 |
+optional_policy(` |
| 280 |
+ dbus_system_bus_client(systemd_networkd_t) |
| 281 |
+ dbus_connect_system_bus(systemd_networkd_t) |
| 282 |
+') |
| 283 |
+ |
| 284 |
+optional_policy(` |
| 285 |
+ udev_read_db(systemd_networkd_t) |
| 286 |
+ udev_read_pid_files(systemd_networkd_t) |
| 287 |
+') |
| 288 |
+ |
| 289 |
+######################################## |
| 290 |
+# |
| 291 |
# systemd_notify local policy |
| 292 |
# |
| 293 |
allow systemd_notify_t self:capability chown; |
Archives