Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

selinux: Add network_exec label for systemd-networkd #3311

Merged
merged 1 commit into from
Aug 4, 2023
Merged

selinux: Add network_exec label for systemd-networkd #3311

merged 1 commit into from
Aug 4, 2023

Conversation

zmrow
Copy link
Contributor

@zmrow zmrow commented Aug 2, 2023
edited
Loading

Issue number:
Related to #2449

Description of changes:
This change adds the network_exec label to systemd-networkd and systemd-networkd-wait-online, which is what wicked currently has and which gives access to /etc and DBUS .

Testing done:

  • Boot an aws-k8s-1.24 variant as a sanity check; it comes up and joins the cluster properly. No spurious AVC denial messages in the journal.
  • Build an aws-dev variant with systemd-networkd enabled and ensure the right label is placed systemd-networkd and systemd-networkd-wait-online. Also make sure no AVC denial messages showed up in the journal.
bash-5.1# ls -lahZ /usr/lib/systemd/
...
-rwxr-xr-x.  1 root root system_u:object_r:network_exec_t:s0 2.7M Aug  2 21:12 systemd-networkd
-rwxr-xr-x.  1 root root system_u:object_r:network_exec_t:s0 314K Aug  2 21:12 systemd-networkd-wait-online
...

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@zmrow zmrow force-pushed the networkd-selinux branch 2 times, most recently from b977872 to 5e5dbcb Compare August 2, 2023 22:24
arnaldo2792
arnaldo2792 approved these changes Aug 2, 2023
View reviewed changes
packages/selinux-policy/fs.cil Outdated
@@ -51,6 +51,8 @@
(filecon "/.*/usr/sbin/chronyd" file clock_exec)
(filecon "/.*/usr/sbin/wicked.*" file network_exec)
(filecon "/.*/usr/libexec/wicked/bin/wicked.*" file network_exec)
(filecon "/.*/usr/lib/systemd/systemd-networkd" file network_exec)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if you could do what is already in the policy for wicked a few lines above:

(filecon "/.*/usr/lib/systemd/systemd-networkd*" file network_exec)

@zmrow
selinux: Add network_exec label for systemd-networkd
da72038 
This change adds the network_exec label to systemd-networkd and
systemd-networkd-wait-online, which is what wicked currently has and
gives access to /etc and DBUS.
@zmrow
Copy link
Contributor Author

zmrow commented Aug 4, 2023

^ Adds the wildcard @arnaldo2792 suggested

@zmrow zmrow merged commit bbf8402 into bottlerocket-os:develop Aug 4, 2023
42 checks passed
@zmrow zmrow deleted the networkd-selinux branch August 4, 2023 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yeazelm yeazelm yeazelm approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@cbgbt cbgbt cbgbt approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@zmrow @bcressey @cbgbt @arnaldo2792 @yeazelm