Fixes for systemd v256

policy/modules/kernel/devices.fc

@@ -134,6 +134,7 @@ ifdef(`distro_suse', `
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vsock		-c	gen_context(system_u:object_r:vsock_device_t,s0)
 /dev/vfio/.+		-c      gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vhci			-c	gen_context(system_u:object_r:vhost_device_t,s0)

policy/modules/kernel/devices.if

@@ -5556,6 +5556,60 @@ interface(`dev_rwx_vmware',`
 	allow $1 vmware_device_t:chr_file { execute map };
 ')
 
+########################################
+## <summary>
+##	Read the vsock device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_vsock',`
+	gen_require(`
+		type device_t, vsock_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, vsock_device_t)
+')
+
+########################################
+## <summary>
+##	Write the vsock device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_vsock',`
+	gen_require(`
+		type device_t, vsock_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, vsock_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the vsock device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_vsock',`
+	gen_require(`
+		type device_t, vsock_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, vsock_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read from watchdog devices.

policy/modules/kernel/devices.te

@@ -402,6 +402,12 @@ dev_node(vhost_device_t)
 type vmware_device_t;
 dev_node(vmware_device_t)
 
+#
+# vsock_device_t is the type for /dev/vsock
+#
+type vsock_device_t;
+dev_node(vsock_device_t)
+
 type watchdog_device_t;
 dev_node(watchdog_device_t)
 

policy/modules/services/avahi.te

@@ -95,6 +95,10 @@ sysnet_etc_filetrans_config(avahi_t)
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_user_home_dirs(avahi_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(avahi_t)
+')
+
 optional_policy(`
 	dbus_system_domain(avahi_t, avahi_exec_t)
 

policy/modules/services/bind.te

@@ -168,6 +168,10 @@ miscfiles_read_generic_tls_privkey(named_t)
 userdom_dontaudit_use_unpriv_user_fds(named_t)
 userdom_dontaudit_search_user_home_dirs(named_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(named_t)
+')
+
 tunable_policy(`named_tcp_bind_http_port',`
 	corenet_sendrecv_http_server_packets(named_t)
 	corenet_tcp_bind_http_port(named_t)

policy/modules/services/dbus.te

@@ -215,6 +215,8 @@ ifdef(`init_systemd', `
 	init_start_all_units(system_dbusd_t)
 	init_stop_all_units(system_dbusd_t)
 
+	systemd_stream_connect_nsresourced(system_dbusd_t)
+
 	# Recent versions of dbus are started as Type=notify
 	systemd_write_notify_socket(system_dbusd_t)
 

policy/modules/services/postfix.te

@@ -575,6 +575,10 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
 read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(postfix_pickup_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(postfix_pickup_t)
 	init_dbus_chat(postfix_pickup_t)
@@ -729,6 +733,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
 
 corecmd_exec_bin(postfix_qmgr_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(postfix_qmgr_t)
+')
+
 optional_policy(`
 	dbus_send_system_bus(postfix_qmgr_t)
 	dbus_system_bus_client(postfix_qmgr_t)

policy/modules/system/systemd.fc

@@ -39,6 +39,8 @@
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-nsresourced	--	gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
+/usr/lib/systemd/systemd-nsresourcework	--	gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
 /usr/lib/systemd/systemd-pcrextend		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pcrlock		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pcrphase		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
@@ -87,6 +89,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/home(/.*)?     gen_context(system_u:object_r:systemd_homed_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+/var/lib/systemd/network(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_lib_t,s0)
 /var/lib/systemd/pstore(/.*)?	gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 
@@ -115,6 +118,8 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
 /run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
+/run/systemd/nsresource(/.*)?	gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
+/run/systemd/io\.systemd\.NamespaceResource	-s	gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
 
 /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
 /run/tmpfiles\.d/.*		<<none>>

policy/modules/system/systemd.if

@@ -61,6 +61,8 @@ template(`systemd_role_template',`
 	# remainder of the rules.
 	allow $1_systemd_t self:process { getsched signal };
 	allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow $1_systemd_t self:netlink_route_socket r_netlink_socket_perms;
+	allow $1_systemd_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_systemd_t $3:process { rlimitinh setsched signal_perms };
 	corecmd_shell_domtrans($1_systemd_t, $3)
@@ -2232,6 +2234,27 @@ interface(`systemd_read_networkd_runtime',`
 	read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 ')
 
+#######################################
+## <summary>
+##  Connect to systemd-nsresourced over
+##  /run/systemd/io.systemd.NamespaceResource .
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_stream_connect_nsresourced', `
+	gen_require(`
+		type systemd_nsresourced_t;
+		type systemd_nsresourced_runtime_t;
+	')
+
+	init_search_runtime($1)
+	stream_connect_pattern($1, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t, systemd_nsresourced_t)
+')
+
 ########################################
 ## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file

policy/modules/system/systemd.te

@@ -212,6 +212,9 @@ init_mountpoint(systemd_networkd_runtime_t)
 type systemd_networkd_unit_t;
 init_unit_file(systemd_networkd_unit_t)
 
+type systemd_networkd_var_lib_t;
+files_type(systemd_networkd_var_lib_t)
+
 type systemd_notify_t;
 type systemd_notify_exec_t;
 init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -226,6 +229,13 @@ files_runtime_file(systemd_nspawn_runtime_t)
 type systemd_nspawn_tmp_t;
 files_tmp_file(systemd_nspawn_tmp_t)
 
+type systemd_nsresourced_t;
+type systemd_nsresourced_exec_t;
+init_daemon_domain(systemd_nsresourced_t, systemd_nsresourced_exec_t)
+
+type systemd_nsresourced_runtime_t;
+files_runtime_file(systemd_nsresourced_runtime_t)
+
 type systemd_pcrphase_t;
 type systemd_pcrphase_exec_t;
 init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
@@ -528,6 +538,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
 allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
 allow systemd_generator_t self:process { getcap getsched setfscreate signal };
+# for systemd-ssh-generator
+allow systemd_generator_t self:vsock_socket create;
 
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@@ -538,6 +550,8 @@ dev_write_sysfs_dirs(systemd_generator_t)
 dev_read_urand(systemd_generator_t)
 dev_create_sysfs_files(systemd_generator_t)
 dev_write_sysfs(systemd_generator_t)
+# for systemd-ssh-generator
+dev_read_vsock(systemd_generator_t)
 
 files_read_etc_files(systemd_generator_t)
 files_read_etc_runtime_files(systemd_generator_t)
@@ -625,6 +639,11 @@ optional_policy(`
 	rpc_read_exports(systemd_generator_t)
 ')
 
+optional_policy(`
+	# needed by systemd-ssh-generator
+	ssh_exec_sshd(systemd_generator_t)
+')
+
 optional_policy(`
 	# needed by zfs-mount-generator
 	zfs_read_config(systemd_generator_t)
@@ -763,6 +782,7 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
 kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
 
 dev_read_sysfs(systemd_hostnamed_t)
+dev_read_vsock(systemd_hostnamed_t)
 
 files_read_etc_files(systemd_hostnamed_t)
 files_read_etc_runtime_files(systemd_hostnamed_t)
@@ -1240,6 +1260,11 @@ allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
 manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
+manage_sock_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
+
+init_var_lib_filetrans(systemd_networkd_t, systemd_networkd_var_lib_t, dir)
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t)
 
 kernel_read_system_state(systemd_networkd_t)
 kernel_read_kernel_sysctls(systemd_networkd_t)
@@ -1479,6 +1504,31 @@ optional_policy(`
 	virt_manage_virt_content(systemd_nspawn_t)
 ')
 
+#########################################
+#
+# nsresourced local policy
+#
+
+allow systemd_nsresourced_t self:capability { sys_resource };
+allow systemd_nsresourced_t self:process { getcap signal };
+allow systemd_nsresourced_t systemd_nsresourced_exec_t:file execute_no_trans;
+
+manage_dirs_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+manage_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+manage_sock_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+init_runtime_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t, dir)
+
+fs_getattr_cgroup(systemd_nsresourced_t)
+
+# for /proc/1/environ
+init_read_state(systemd_nsresourced_t)
+
+kernel_read_kernel_sysctls(systemd_nsresourced_t)
+# for /proc/cmdline
+kernel_read_system_state(systemd_nsresourced_t)
+
+systemd_log_parse_environment(systemd_nsresourced_t)
+
 #######################################
 #
 # systemd_passwd_agent_t local policy
@@ -1796,6 +1846,8 @@ seutil_read_file_contexts(systemd_sysusers_t)
 
 systemd_log_parse_environment(systemd_sysusers_t)
 
+systemd_stream_connect_nsresourced(systemd_sysusers_t)
+
 #########################################
 #
 # Tmpfiles local policy
@@ -2098,6 +2150,8 @@ seutil_search_default_contexts(systemd_userdbd_t)
 
 systemd_log_parse_environment(systemd_userdbd_t)
 
+systemd_stream_connect_nsresourced(systemd_userdbd_t)
+
 #########################################
 #
 # systemd-user-runtime-dir local policy