From 00949e479d614e18c1f9840d26f4dad2b0c906c410eaf4ecd6bd638091c3238d Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Fri, 17 Mar 2023 10:46:53 +0000 Subject: [PATCH] Accepting request 1072556 from home:jsegitz:branches:security:SELinux_final OBS-URL: https://build.opensuse.org/request/show/1072556 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=175 --- _service | 8 - _servicedata | 2 +- container-selinux-20230214.tar.xz | 3 - container.fc | 156 ++++ container.if | 1044 +++++++++++++++++++++ container.te | 1416 +++++++++++++++++++++++++++++ selinux-policy-20230214.tar.xz | 3 - selinux-policy-20230316.tar.xz | 3 + selinux-policy.changes | 28 + selinux-policy.spec | 14 +- update.sh | 27 + 11 files changed, 2683 insertions(+), 21 deletions(-) delete mode 100644 container-selinux-20230214.tar.xz create mode 100644 container.fc create mode 100644 container.if create mode 100644 container.te delete mode 100644 selinux-policy-20230214.tar.xz create mode 100644 selinux-policy-20230316.tar.xz create mode 100644 update.sh diff --git a/_service b/_service index 64a67c0..f74bf15 100644 --- a/_service +++ b/_service @@ -7,14 +7,6 @@ enable factory - - 1 - %cd - https://github.com/containers/container-selinux.git - git - enable - main - xz *.tar diff --git a/_servicedata b/_servicedata index b50b36f..4535cb7 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ https://gitlab.suse.de/selinux/selinux-policy.git - 167da331be8238b650e75d629a925576ca5bf70b + 3fa3ee463c968e6001607a3d25edc2f9971824d7 https://github.com/containers/container-selinux.git 07b3034f6d9625ab84508a2f46515d8ff79b4204 \ No newline at end of file diff --git a/container-selinux-20230214.tar.xz b/container-selinux-20230214.tar.xz deleted file mode 100644 index 16fd854..0000000 --- a/container-selinux-20230214.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:35976ddc019bac7363a4a7eb7f626fc92cf91a19deeca7bb8ff1458dbb0dc936 -size 25128 diff --git a/container.fc b/container.fc new file mode 100644 index 0000000..8fc71ee --- /dev/null +++ b/container.fc @@ -0,0 +1,156 @@ +/root/\.docker gen_context(system_u:object_r:container_home_t,s0) + +/usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) + +/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) +/usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) +/usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) +/usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) +/usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) + +/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0) + +/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) + +/var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. +/var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) +# "/var/lib/buildkit/runc-/executor" contains "resolv.conf" and "hosts.", for OCI (runc) worker mode. +/var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) +# "/var/lib/buildkit/containerd-" contains resolv.conf and hosts., for containerd worker mode. +# Unlike the runc- directory, this directory does not contain the "executor" directory inside it. +/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) + +HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/atomic(/.*)? <> +/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) +/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) + +/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) + +/var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +/var/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) + +/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) + +/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) diff --git a/container.if b/container.if new file mode 100644 index 0000000..d9c3daf --- /dev/null +++ b/container.if @@ -0,0 +1,1044 @@ +## The open-source application container engine. + +######################################## +## +## Execute container in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_runtime_domtrans',` + gen_require(` + type container_runtime_t, container_runtime_exec_t; + type container_runtime_tmpfs_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, container_runtime_exec_t, container_runtime_t) + allow container_runtime_t $1:fifo_file setattr; +') + +######################################## +## +## Execute container runtime in the container runtime domain +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`container_runtime_run',` + gen_require(` + type container_runtime_t; + class dbus send_msg; + ') + + container_runtime_domtrans($1) + role $2 types container_runtime_t; + allow $1 container_runtime_t:dbus send_msg; +') + + +######################################## +## +## Execute container in the caller domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_runtime_exec',` + gen_require(` + type container_runtime_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, container_runtime_exec_t) +') + +######################################## +## +## Read the process state of container runtime +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_state',` + gen_require(` + type container_runtime_t; + ') + + ps_process_pattern($1, container_runtime_t) +') + +######################################## +## +## Search container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_search_lib',` + gen_require(` + type container_var_lib_t; + ') + + allow $1 container_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Execute container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_exec_lib',` + gen_require(` + type container_var_lib_t; + ') + + allow $1 container_var_lib_t:dir search_dir_perms; + can_exec($1, container_var_lib_t) +') + +######################################## +## +## Read container lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Read container share files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_share_files',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) + read_files_pattern($1, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) +') + +######################################## +## +## Read container runtime tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_runtime_read_tmpfs_files',` + gen_require(` + type container_runtime_tmpfs_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) + read_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) + read_lnk_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +') + +######################################## +## +## Manage container share files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_share_files',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) + manage_files_pattern($1, container_ro_file_t, container_ro_file_t) + manage_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) +') + +######################################## +## +## Manage container share dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_share_dirs',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, container_ro_file_t, container_ro_file_t) +') + +###################################### +## +## Allow the specified domain to execute container shared files +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_exec_share_files',` + gen_require(` + type container_ro_file_t; + ') + + can_exec($1, container_ro_file_t) +') + +######################################## +## +## Manage container config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_config_files',` + gen_require(` + type container_config_t; + type kubernetes_file_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, container_config_t, container_config_t) + manage_dirs_pattern($1, kubernetes_file_t, kubernetes_file_t) + manage_files_pattern($1, kubernetes_file_t, kubernetes_file_t) +') + +######################################## +## +## Manage container lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, container_var_lib_t, container_var_lib_t) + manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Manage container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_files',` + gen_require(` + type container_file_t; + ') + + manage_files_pattern($1, container_file_t, container_file_t) + manage_lnk_files_pattern($1, container_file_t, container_file_t) +') + +######################################## +## +## Manage container directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_dirs',` + gen_require(` + type container_file_t; + ') + + manage_dirs_pattern($1, container_file_t, container_file_t) +') + +######################################## +## +## Manage container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_lib_dirs',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Create objects in a container var lib directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`container_lib_filetrans',` + gen_require(` + type container_var_lib_t; + ') + + filetrans_pattern($1, container_var_lib_t, $2, $3, $4) +') + +######################################## +## +## Read container PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_pid_files',` + gen_require(` + type container_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, container_var_run_t, container_var_run_t) +') + +######################################## +## +## Execute container server in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_systemctl',` + gen_require(` + type container_runtime_t; + type container_unit_file_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 container_unit_file_t:file read_file_perms; + allow $1 container_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, container_runtime_t) +') + +######################################## +## +## Read and write container shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_rw_sem',` + gen_require(` + type container_runtime_t; + ') + + allow $1 container_runtime_t:sem rw_sem_perms; +') + +######################################## +## +## Allow the specified domain to append +## to container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_append_file',` + gen_require(` + type container_file_t; + ') + + append_files_pattern($1, container_file_t, container_file_t) +') + +####################################### +## +## Read and write the container pty type. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_use_ptys',` + gen_require(` + type container_devpts_t; + ') + + allow $1 container_devpts_t:chr_file rw_term_perms; +') + +####################################### +## +## Allow domain to create container content +## +## +## +## Domain allowed access. +## +## +# +interface(`container_filetrans_named_content',` + + gen_require(` + type container_var_lib_t; + type container_file_t; + type container_ro_file_t; + type container_log_t; + type container_var_run_t; + type container_home_t; + type kubernetes_file_t; + type container_runtime_tmpfs_t; + type container_kvm_var_run_t; + type data_home_t; + ') + + files_pid_filetrans($1, container_var_run_t, file, "container.pid") + files_pid_filetrans($1, container_var_run_t, file, "docker.pid") + files_pid_filetrans($1, container_var_run_t, sock_file, "container.sock") + files_pid_filetrans($1, container_var_run_t, dir, "container-client") + files_pid_filetrans($1, container_var_run_t, dir, "docker") + files_pid_filetrans($1, container_var_run_t, dir, "containerd") + files_pid_filetrans($1, container_var_run_t, dir, "buildkit") + files_pid_filetrans($1, container_var_run_t, dir, "ocid") + files_pid_filetrans($1, container_var_run_t, dir, "containers") + files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers") + + logging_log_filetrans($1, container_log_t, dir, "lxc") + files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") + files_var_lib_filetrans($1, container_file_t, dir, "origin") + files_var_lib_filetrans($1, container_var_lib_t, dir, "ocid") + files_var_lib_filetrans($1, container_var_lib_t, dir, "docker") + files_var_lib_filetrans($1, container_var_lib_t, dir, "docker-latest") + files_var_filetrans($1, container_ro_file_t, dir, "kata-containers") + files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers") + files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd") + files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit") + + filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hosts") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hostname") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "resolv.conf") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "sandboxes") + # The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. + # (lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs, + # upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/fs, + # workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work) + filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-images") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-layers") + + # "/var/lib/buildkit/runc-/executor" contains "resolv.conf" and "hosts.", for OCI (runc) worker mode. + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "executor") + + # "/var/lib/buildkit/containerd-" contains resolv.conf and hosts., for containerd worker mode. + # Unlike the runc- directory, this directory does not contain the "executor" directory inside it. + # Core snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlayfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-native") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-btrfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-zfs") + # Non-core snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-fuse-overlayfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-nydus") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlaybd") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-stargz") + # Third-party snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci") + + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers") + + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic") + userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers") + filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") + files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes") +') + +######################################## +## +## Connect to container over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_stream_connect',` + gen_require(` + type container_runtime_t, container_var_run_t, container_runtime_tmpfs_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t) + stream_connect_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t, container_runtime_t) + allow $1 container_runtime_tmpfs_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Connect to SPC containers over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_stream_connect',` + gen_require(` + type spc_t, spc_var_run_t; + ') + + files_search_pids($1) + allow $1 spc_t:unix_stream_socket connectto; +') + +######################################## +## +## All of the rules required to administrate +## an container environment +## +## +## +## Domain allowed access. +## +## +# +interface(`container_admin',` + gen_require(` + type container_runtime_t; + type container_var_lib_t, container_var_run_t; + type container_unit_file_t; + type container_lock_t; + type container_log_t; + type container_config_t; + type container_file_t; + ') + + allow $1 container_runtime_t:process { ptrace signal_perms }; + ps_process_pattern($1, container_runtime_t) + + admin_pattern($1, container_config_t) + + files_search_var_lib($1) + admin_pattern($1, container_var_lib_t) + + files_search_pids($1) + admin_pattern($1, container_var_run_t) + + files_search_locks($1) + admin_pattern($1, container_lock_t) + + logging_search_logs($1) + admin_pattern($1, container_log_t) + + container_systemctl($1) + admin_pattern($1, container_unit_file_t) + allow $1 container_unit_file_t:service all_service_perms; + + admin_pattern($1, container_file_t) + + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +######################################## +## +## Execute container_auth_exec_t in the container_auth domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_auth_domtrans',` + gen_require(` + type container_auth_t, container_auth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, container_auth_exec_t, container_auth_t) +') + +###################################### +## +## Execute container_auth in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_auth_exec',` + gen_require(` + type container_auth_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, container_auth_exec_t) +') + +######################################## +## +## Connect to container_auth over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_auth_stream_connect',` + gen_require(` + type container_auth_t, container_plugin_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) +') + +######################################## +## +## container domain typebounds calling domain. +## +## +## +## Domain to be typebound. +## +## +# +interface(`container_runtime_typebounds',` + gen_require(` + type container_runtime_t; + ') + + allow container_runtime_t $1:process2 nnp_transition; +') + +######################################## +## +## Allow any container_runtime_exec_t to be an entrypoint of this domain +## +## +## +## Domain allowed access. +## +## +## +# +interface(`container_runtime_entrypoint',` + gen_require(` + type container_runtime_exec_t; + ') + allow $1 container_runtime_exec_t:file entrypoint; +') + +interface(`docker_exec_lib',` + container_exec_lib($1) +') + +interface(`docker_read_share_files',` + container_read_share_files($1) +') + +interface(`docker_exec_share_files',` + container_exec_share_files($1) +') + +interface(`docker_manage_lib_files',` + container_manage_lib_files($1) +') + + +interface(`docker_manage_lib_dirs',` + container_manage_lib_dirs($1) +') + +interface(`docker_lib_filetrans',` + container_lib_filetrans($1, $2, $3, $4) +') + +interface(`docker_read_pid_files',` + container_read_pid_files($1) +') + +interface(`docker_systemctl',` + container_systemctl($1) +') + +interface(`docker_use_ptys',` + container_use_ptys($1) +') + +interface(`docker_stream_connect',` + container_stream_connect($1) +') + +interface(`docker_spc_stream_connect',` + container_spc_stream_connect($1) +') + +######################################## +## +## Read the process state of spc containers +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_read_state',` + gen_require(` + type spc_t; + ') + + ps_process_pattern($1, spc_t) +') + +######################################## +## +## Creates types and rules for a basic +## container runtime process domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`container_runtime_domain_template',` + gen_require(` + attribute container_runtime_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + role system_r, sysadm_r; + ') + + type $1_t, container_runtime_domain; + role system_r types $1_t; + role sysadm_r types $1_t; + domain_type($1_t) + domain_subj_id_change_exemption($1_t) + domain_role_change_exemption($1_t) + + kernel_read_system_state($1_t) + kernel_read_all_proc($1_t) + + mls_file_read_to_clearance($1_t) + mls_file_write_to_clearance($1_t) + + storage_raw_rw_fixed_disk($1_t) + auth_use_nsswitch($1_t) + logging_send_syslog_msg($1_t) +') + +######################################## +## +## Creates types and rules for a basic +## container process domain. +## +## +## +## Prefix for the domain. +## +## +## +## +## Prefix for the file type. +## +## +# +template(`container_domain_template',` + gen_require(` + attribute container_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + ') + + type $1_t, container_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + allow $1_t $2_file_t:file entrypoint; + + container_manage_files_template($1, $2) +') + + +######################################## +## +## Manage container files template +## +## +## +## Prefix for the domain. +## +## +## +## +## Prefix for the file type. +## +## +# +template(`container_manage_files_template',` + gen_require(` + attribute container_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + ') + + + mls_rangetrans_target($1_t) + mcs_constrained($1_t) + role system_r types $1_t; + + kernel_read_all_proc($1_t) + + allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map }; + + manage_files_pattern($1_t, $2_file_t, $2_file_t) + exec_files_pattern($1_t, $2_file_t, $2_file_t) + manage_lnk_files_pattern($1_t, $2_file_t, $2_file_t) + manage_dirs_pattern($1_t, $2_file_t, $2_file_t) + manage_chr_files_pattern($1_t, $2_file_t, $2_file_t) + allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads }; + manage_blk_files_pattern($1_t, $2_file_t, $2_file_t) + manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t) + manage_sock_files_pattern($1_t, $2_file_t, $2_file_t) + allow $1_t $2_file_t:{file dir} mounton; + allow $1_t $2_file_t:filesystem { mount remount unmount }; + allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map }; + + fs_tmpfs_filetrans($1_t, $2_file_t, { dir file lnk_file }) +') + +######################################## +## +## Read and write a spc_t unnamed pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_rw_pipes',` + gen_require(` + type spc_t; + ') + + allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## +## Execute container in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_kubelet_domtrans',` + gen_require(` + type kubelet_t, kubelet_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kubelet_exec_t, kubelet_t) +') + +######################################## +## +## Execute kubelet_exec_t in the kubelet_t domain +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`container_kubelet_run',` + gen_require(` + type kubelet_t; + class dbus send_msg; + ') + + container_kubelet_domtrans($1) + role $2 types kubelet_t; +') + +######################################## +## +## Connect to kubelet over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_kubelet_stream_connect',` + gen_require(` + type kubelet_t, container_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_var_run_t, container_var_run_t, kubelet_t) +') + +####################################### +## +## Create a file type used for container files. +## +## +## +## Type to be used for an container file. +## +## +# +interface(`container_file',` + gen_require(` + attribute container_file_type; + ') + + typeattribute $1 container_file_type; + files_type($1) + files_mountpoint($1) +') diff --git a/container.te b/container.te new file mode 100644 index 0000000..d649eb0 --- /dev/null +++ b/container.te @@ -0,0 +1,1416 @@ +policy_module(container, 2.204.0) + +gen_require(` + class passwd rootok; +') + +######################################## +# +# Declarations +# + +## +##

+## Determine whether container can +## connect to all TCP ports. +##

+## +gen_tunable(container_connect_any, false) + +## +##

+## Allow containers to use any device volume mounted into container +##

+## +gen_tunable(container_use_devices, false) + +## +##

+## Allow sandbox containers to manage cgroup (systemd) +##

+## +gen_tunable(container_manage_cgroup, false) + +## +##

+## Determine whether container can +## use ceph file system +##

+## +gen_tunable(container_use_cephfs, false) + +## +##

+## Determine whether container can +## use ecrypt file system +##

+## +gen_tunable(container_use_ecryptfs, false) + +attribute container_runtime_domain; +container_runtime_domain_template(container_runtime) +typealias container_runtime_t alias docker_t; + +type container_runtime_exec_t alias docker_exec_t; +can_exec(container_runtime_t,container_runtime_exec_t) +attribute container_domain; +attribute container_user_domain; +attribute container_net_domain; +attribute container_init_domain; +attribute container_file_type; +allow container_runtime_domain container_domain:process { dyntransition transition }; +allow container_domain container_runtime_domain:process sigchld; +allow container_runtime_domain container_domain:process2 { nnp_transition nosuid_transition }; +dontaudit container_runtime_domain container_domain:process { noatsecure rlimitinh siginh }; + +type conmon_exec_t; +application_executable_file(conmon_exec_t) +can_exec(container_runtime_t, conmon_exec_t) +allow container_runtime_domain conmon_exec_t:file entrypoint; +ifdef(`enable_mcs',` + range_transition container_runtime_t conmon_exec_t:process s0; +') +ifdef(`enable_mls',` + range_transition container_runtime_t conmon_exec_t:process s0; +') + +type spc_t, container_domain; +domain_type(spc_t) +role system_r types spc_t; +init_initrc_domain(spc_t) + +type container_auth_t alias docker_auth_t; +type container_auth_exec_t alias docker_auth_exec_t; +init_daemon_domain(container_auth_t, container_auth_exec_t) + +type spc_var_run_t; +files_pid_file(spc_var_run_t) + +type kubernetes_file_t; +files_config_file(kubernetes_file_t) + +type container_var_lib_t alias docker_var_lib_t; +files_type(container_var_lib_t) + +type container_home_t alias docker_home_t; +userdom_user_home_content(container_home_t) + +type container_config_t alias docker_config_t; +files_config_file(container_config_t) + +type container_lock_t alias docker_lock_t; +files_lock_file(container_lock_t) + +type container_log_t alias docker_log_t; +logging_log_file(container_log_t) + +type container_runtime_tmp_t alias docker_tmp_t; +files_tmp_file(container_runtime_tmp_t) + +type container_runtime_tmpfs_t alias docker_tmpfs_t; +files_tmpfs_file(container_runtime_tmpfs_t) + +type container_var_run_t alias docker_var_run_t; +files_pid_file(container_var_run_t) + +type container_plugin_var_run_t alias docker_plugin_var_run_t; +files_pid_file(container_plugin_var_run_t) + +type container_unit_file_t alias docker_unit_file_t; +systemd_unit_file(container_unit_file_t) + +type container_devpts_t alias docker_devpts_t; +term_pty(container_devpts_t) + +typealias container_ro_file_t alias { container_share_t docker_share_t }; +files_mountpoint(container_ro_file_t) + +type container_port_t alias docker_port_t; +corenet_port(container_port_t) + +init_daemon_domain(container_runtime_t, container_runtime_exec_t) +#ifdef(`enable_mcs',` +# init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mcs_systemhigh) +#') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh) +') +mls_trusted_object(container_runtime_t) + + +######################################## +# +# container local policy +# +allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; +allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; +allow container_runtime_domain self:process ~setcurrent; +allow container_runtime_domain self:passwd rootok; +allow container_runtime_domain self:fd use; +allow container_runtime_domain self:dir mounton; +allow container_runtime_domain self:file mounton; + +allow container_runtime_domain self:fifo_file rw_fifo_file_perms; +allow container_runtime_domain self:fifo_file manage_file_perms; +allow container_runtime_domain self:msg all_msg_perms; +allow container_runtime_domain self:sem create_sem_perms; +allow container_runtime_domain self:shm create_shm_perms; +allow container_runtime_domain self:msgq create_msgq_perms; +allow container_runtime_domain self:unix_stream_socket create_stream_socket_perms; +allow container_runtime_domain self:tcp_socket create_stream_socket_perms; +allow container_runtime_domain self:udp_socket create_socket_perms; +allow container_runtime_domain self:capability2 block_suspend; +allow container_runtime_domain container_port_t:tcp_socket name_bind; +allow container_runtime_domain self:filesystem associate; +allow container_runtime_domain self:packet_socket create_socket_perms; +allow container_runtime_domain self:socket create_socket_perms; +allow container_runtime_domain self:rawip_socket create_stream_socket_perms; +allow container_runtime_domain self:netlink_netfilter_socket create_socket_perms; +allow container_runtime_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_runtime_domain self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow container_runtime_domain self:netlink_socket create_socket_perms; + +corenet_tcp_bind_generic_node(container_runtime_domain) +corenet_udp_bind_generic_node(container_runtime_domain) +corenet_raw_bind_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_bind_all_ports(container_runtime_domain) +corenet_tcp_bind_all_ports(container_runtime_domain) +corenet_tcp_connect_all_ports(container_runtime_domain) +corenet_sctp_bind_all_ports(container_net_domain) +corenet_sctp_connect_all_ports(container_net_domain) +corenet_rw_tun_tap_dev(container_runtime_domain) + +container_auth_stream_connect(container_runtime_domain) + +manage_files_pattern(container_runtime_domain, container_file_type, container_file_type) +manage_lnk_files_pattern(container_runtime_domain, container_file_type, container_file_type) +manage_blk_files_pattern(container_runtime_domain, container_file_type, container_file_type) +allow container_runtime_domain container_domain:key manage_key_perms; +manage_sock_files_pattern(container_runtime_domain, container_file_type, container_file_type) +allow container_runtime_domain container_file_type:dir_file_class_set {relabelfrom relabelto execmod}; +allow container_runtime_domain container_file_type:dir_file_class_set mmap_file_perms; + +manage_files_pattern(container_runtime_domain, container_home_t, container_home_t) +manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t) +manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t) +userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container") +userdom_manage_user_home_content(container_runtime_domain) + +manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t) +manage_files_pattern(container_runtime_domain, container_config_t, container_config_t) +files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container") + +manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t) +manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t) +files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc") + +manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t) +manage_files_pattern(container_runtime_domain, container_log_t, container_log_t) +manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t) +logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file }) +allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto }; +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log") +allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint; + +manage_dirs_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) + +manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_fifo_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_chr_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom; +can_exec(container_runtime_domain, container_runtime_tmpfs_t) +fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, dir_file_class_set) +allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton; + +manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto }; +can_exec(container_runtime_domain, container_ro_file_t) +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "config.env") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hostname") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hosts") + +#container_filetrans_named_content(container_runtime_domain) + +manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto }; +files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_fifo_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) +files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) + +allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(container_runtime_domain, container_devpts_t) +term_use_all_ttys(container_runtime_domain) +term_use_all_inherited_terms(container_runtime_domain) + +kernel_read_network_state(container_runtime_domain) +kernel_read_all_sysctls(container_runtime_domain) +kernel_rw_net_sysctls(container_runtime_domain) +kernel_setsched(container_runtime_domain) +kernel_rw_all_sysctls(container_runtime_domain) + +domain_obj_id_change_exemption(container_runtime_t) +domain_subj_id_change_exemption(container_runtime_t) +domain_role_change_exemption(container_runtime_t) +domain_use_interactive_fds(container_runtime_domain) +domain_dontaudit_read_all_domains_state(container_runtime_domain) +domain_sigchld_all_domains(container_runtime_domain) +domain_use_interactive_fds(container_runtime_domain) +domain_read_all_domains_state(container_runtime_domain) +domain_getattr_all_domains(container_runtime_domain) + +userdom_map_tmp_files(container_runtime_domain) + +optional_policy(` + gnome_map_generic_data_home_files(container_runtime_domain) + allow container_runtime_domain data_home_t:dir { relabelfrom relabelto }; +') + +gen_require(` + attribute domain; +') + +allow container_runtime_domain domain:fifo_file rw_fifo_file_perms; +allow container_runtime_domain domain:fd use; + +corecmd_exec_bin(container_runtime_domain) +corecmd_exec_shell(container_runtime_domain) +corecmd_exec_all_executables(container_runtime_domain) +corecmd_bin_entry_type(container_runtime_domain) +corecmd_shell_entry_type(container_runtime_domain) + +corenet_tcp_bind_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_generic_if(container_runtime_domain) +corenet_tcp_sendrecv_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_generic_port(container_runtime_domain) +corenet_tcp_bind_all_ports(container_runtime_domain) +corenet_tcp_connect_http_port(container_runtime_domain) +corenet_tcp_connect_commplex_main_port(container_runtime_domain) +corenet_udp_sendrecv_generic_if(container_runtime_domain) +corenet_udp_sendrecv_generic_node(container_runtime_domain) +corenet_udp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_bind_generic_node(container_runtime_domain) +corenet_udp_bind_all_ports(container_runtime_domain) + +files_read_kernel_modules(container_runtime_domain) +files_read_config_files(container_runtime_domain) +files_dontaudit_getattr_all_dirs(container_runtime_domain) +files_dontaudit_getattr_all_files(container_runtime_domain) +files_execmod_all_files(container_runtime_domain) +files_search_all(container_runtime_domain) +files_read_usr_symlinks(container_runtime_domain) +files_search_locks(container_runtime_domain) +files_dontaudit_unmount_all_mountpoints(container_runtime_domain) + +fs_read_cgroup_files(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_search_all(container_runtime_domain) +fs_getattr_all_fs(container_runtime_domain) +fs_rw_onload_sockets(container_runtime_domain) + +auth_dontaudit_getattr_shadow(container_runtime_domain) + +init_read_state(container_runtime_domain) +init_status(container_runtime_domain) +init_stop(container_runtime_domain) +init_start(container_runtime_domain) +init_manage_config_transient_files(container_runtime_domain) + +logging_send_audit_msgs(container_runtime_domain) + +miscfiles_read_localization(container_runtime_domain) +miscfiles_dontaudit_access_check_cert(container_runtime_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(container_runtime_domain) +miscfiles_read_fonts(container_runtime_domain) +miscfiles_read_hwdata(container_runtime_domain) +fs_relabel_cgroup_dirs(container_runtime_domain) +# fs_relabel_cgroup_files(container_runtime_domain) +allow container_runtime_domain container_domain:file relabelfrom; + +mount_domtrans(container_runtime_domain) + +seutil_read_default_contexts(container_runtime_domain) +seutil_read_config(container_runtime_domain) + +sysnet_dns_name_resolve(container_runtime_domain) +sysnet_exec_ifconfig(container_runtime_domain) + +optional_policy(` + cron_system_entry(container_runtime_t, container_runtime_exec_t) +') + +optional_policy(` + ssh_use_ptys(container_runtime_domain) +') + +optional_policy(` + rpm_exec(container_runtime_domain) + rpm_read_cache(container_runtime_domain) + rpm_read_db(container_runtime_domain) + rpm_exec(container_runtime_domain) +') + +optional_policy(` + fstools_domtrans(container_runtime_domain) +') + +optional_policy(` + iptables_domtrans(container_runtime_domain) + + container_read_pid_files(iptables_t) + container_read_state(iptables_t) + container_append_file(iptables_t) + allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms; + allow iptables_t container_file_type:dir list_dir_perms; +') + +optional_policy(` + openvswitch_stream_connect(container_runtime_domain) +') + +optional_policy(` + gen_require(` + attribute named_filetrans_domain; + ') + container_filetrans_named_content(named_filetrans_domain) +') + +# +# lxc rules +# + +allow container_runtime_domain self:capability ~{ sys_module }; +allow container_runtime_domain self:capability2 ~{ mac_override mac_admin }; +allow container_runtime_domain self:cap_userns ~{ sys_module }; +allow container_runtime_domain self:cap2_userns ~{ mac_override mac_admin }; + +allow container_runtime_domain self:process { getcap setcap setexec setpgid setsched signal_perms }; + +allow container_runtime_domain self:netlink_route_socket rw_netlink_socket_perms;; +allow container_runtime_domain self:netlink_xfrm_socket create_netlink_socket_perms; +allow container_runtime_domain self:netlink_audit_socket create_netlink_socket_perms; +allow container_runtime_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow container_runtime_domain self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow container_runtime_domain container_var_lib_t:dir mounton; +allow container_runtime_domain container_var_lib_t:chr_file mounton; +can_exec(container_runtime_domain, container_var_lib_t) + +kernel_dontaudit_setsched(container_runtime_domain) +kernel_get_sysvipc_info(container_runtime_domain) +kernel_request_load_module(container_runtime_domain) +kernel_mounton_messages(container_runtime_domain) +kernel_mounton_all_proc(container_runtime_domain) +kernel_mounton_all_sysctls(container_runtime_domain) +kernel_list_all_proc(container_runtime_domain) +kernel_read_all_sysctls(container_runtime_domain) +kernel_rw_net_sysctls(container_runtime_domain) +kernel_rw_unix_sysctls(container_runtime_domain) +kernel_dontaudit_search_kernel_sysctl(container_runtime_domain) +kernel_dontaudit_access_check_proc(container_runtime_domain) +kernel_dontaudit_setattr_proc_files(container_runtime_domain) +kernel_dontaudit_setattr_proc_dirs(container_runtime_domain) +kernel_dontaudit_write_usermodehelper_state(container_runtime_domain) + +dev_setattr_null_dev(container_runtime_t) +dev_getattr_all(container_runtime_domain) +dev_getattr_sysfs_fs(container_runtime_domain) +dev_read_rand(container_runtime_domain) +dev_read_urand(container_runtime_domain) +dev_read_lvm_control(container_runtime_domain) +dev_rw_sysfs(container_runtime_domain) +dev_rw_loop_control(container_runtime_domain) +dev_rw_lvm_control(container_runtime_domain) +dev_read_mtrr(container_runtime_domain) + +files_getattr_isid_type_dirs(container_runtime_domain) +files_manage_isid_type_dirs(container_runtime_domain) +files_manage_isid_type_files(container_runtime_domain) +files_manage_isid_type_symlinks(container_runtime_domain) +files_manage_isid_type_chr_files(container_runtime_domain) +files_manage_isid_type_blk_files(container_runtime_domain) +files_exec_isid_files(container_runtime_domain) +files_mounton_isid(container_runtime_domain) +files_mounton_non_security(container_runtime_domain) +files_mounton_isid_type_chr_file(container_runtime_domain) + +fs_mount_all_fs(container_runtime_domain) +fs_unmount_all_fs(container_runtime_domain) +fs_remount_all_fs(container_runtime_domain) +files_mounton_isid(container_runtime_domain) +fs_manage_cgroup_dirs(container_runtime_domain) +fs_manage_cgroup_files(container_runtime_domain) +fs_rw_nsfs_files(container_runtime_domain) +fs_relabelfrom_xattr_fs(container_runtime_domain) +fs_relabelfrom_tmpfs(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_getattr_all_fs(container_runtime_domain) +fs_rw_inherited_tmpfs_files(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_search_tmpfs(container_runtime_domain) +fs_list_hugetlbfs(container_runtime_domain) +fs_manage_hugetlbfs_files(container_runtime_domain) + + +term_use_generic_ptys(container_runtime_domain) +term_use_ptmx(container_runtime_domain) +term_getattr_pty_fs(container_runtime_domain) +term_relabel_pty_fs(container_runtime_domain) +term_mounton_unallocated_ttys(container_runtime_domain) + +modutils_domtrans_kmod(container_runtime_domain) + +systemd_status_all_unit_files(container_runtime_domain) +systemd_start_systemd_services(container_runtime_domain) +systemd_dbus_chat_logind(container_runtime_domain) +systemd_chat_resolved(container_runtime_domain) + +userdom_stream_connect(container_runtime_domain) +userdom_search_user_home_content(container_runtime_domain) +userdom_read_all_users_state(container_runtime_domain) +userdom_relabel_user_home_files(container_runtime_domain) +userdom_relabel_user_tmp_files(container_runtime_domain) +userdom_relabel_user_tmp_dirs(container_runtime_domain) +userdom_use_inherited_user_terminals(container_runtime_domain) +userdom_use_user_ptys(container_runtime_domain) +userdom_connectto_stream(container_runtime_domain) +allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt }; + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(container_runtime_domain) + fs_manage_nfs_files(container_runtime_domain) + fs_manage_nfs_named_sockets(container_runtime_domain) + fs_manage_nfs_symlinks(container_runtime_domain) + fs_remount_nfs(container_runtime_domain) + fs_mount_nfs(container_runtime_domain) + fs_unmount_nfs(container_runtime_domain) + fs_exec_nfs_files(container_runtime_domain) + kernel_rw_fs_sysctls(container_runtime_domain) + allow container_runtime_domain nfs_t:file execmod; +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(container_runtime_domain) + fs_manage_cifs_dirs(container_runtime_domain) + fs_manage_cifs_named_sockets(container_runtime_domain) + fs_manage_cifs_symlinks(container_runtime_domain) + fs_exec_cifs_files(container_runtime_domain) + allow container_runtime_domain cifs_t:file execmod; + + fs_manage_cifs_files(container_domain) + fs_manage_cifs_dirs(container_domain) + fs_manage_cifs_named_sockets(container_domain) + fs_manage_cifs_symlinks(container_domain) + fs_exec_cifs_files(container_domain) + allow container_domain cifs_t:file execmod; +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(container_domain) + fs_manage_nfs_files(container_domain) + fs_manage_nfs_named_sockets(container_domain) + fs_manage_nfs_symlinks(container_domain) + fs_mount_nfs(container_domain) + fs_unmount_nfs(container_domain) + fs_exec_nfs_files(container_domain) + allow container_domain nfs_t:file execmod; +') + +gen_require(` + type cephfs_t; +') + +tunable_policy(`container_use_cephfs',` + manage_files_pattern(container_domain, cephfs_t, cephfs_t) + manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t) + manage_dirs_pattern(container_domain, cephfs_t, cephfs_t) + exec_files_pattern(container_domain, cephfs_t, cephfs_t) + allow container_domain cephfs_t:file execmod; +') + +gen_require(` + type ecryptfs_t; +') + +tunable_policy(`container_use_ecryptfs',` + manage_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + manage_lnk_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + manage_dirs_pattern(container_domain, ecryptfs_t, ecryptfs_t) + exec_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + allow container_domain ecryptfs_t:file execmod; +') + +fs_manage_fusefs_named_sockets(container_runtime_domain) +fs_manage_fusefs_dirs(container_runtime_domain) +fs_manage_fusefs_files(container_runtime_domain) +fs_manage_fusefs_symlinks(container_runtime_domain) +fs_mount_fusefs(container_runtime_domain) +fs_unmount_fusefs(container_runtime_domain) +fs_exec_fusefs_files(container_runtime_domain) +storage_rw_fuse(container_runtime_domain) + + +optional_policy(` + files_search_all(container_domain) + container_read_share_files(container_domain) + container_exec_share_files(container_domain) + allow container_domain container_ro_file_t:file execmod; + container_lib_filetrans(container_domain,container_file_t, sock_file) + container_use_ptys(container_domain) + container_spc_stream_connect(container_domain) + fs_dontaudit_remount_tmpfs(container_domain) + dev_dontaudit_mounton_sysfs(container_domain) +') + +optional_policy(` + apache_exec_modules(container_runtime_domain) + apache_read_sys_content(container_runtime_domain) +') + +optional_policy(` + gpm_getattr_gpmctl(container_runtime_domain) +') + +optional_policy(` + dbus_system_bus_client(container_runtime_domain) + dbus_session_bus_client(container_runtime_domain) + init_dbus_chat(container_runtime_domain) + init_start_transient_unit(container_runtime_domain) + + optional_policy(` + systemd_dbus_chat_logind(container_runtime_domain) + systemd_dbus_chat_machined(container_runtime_domain) + ') + + optional_policy(` + dnsmasq_dbus_chat(container_runtime_domain) + ') + + optional_policy(` + firewalld_dbus_chat(container_runtime_domain) + ') +') + +optional_policy(` + lvm_domtrans(container_runtime_domain) +') + +optional_policy(` + gen_require(` + type systemd_logind_t; + ') + + domtrans_pattern(systemd_logind_t, container_runtime_exec_t , container_runtime_t) + container_manage_dirs(systemd_logind_t) + container_manage_files(systemd_logind_t) +') + +optional_policy(` + udev_read_db(container_runtime_domain) +') + +optional_policy(` + gen_require(` + role unconfined_r; + ') + role unconfined_r types container_user_domain; + unconfined_domain(container_runtime_t) + unconfined_run_to(container_runtime_t, container_runtime_exec_t) + role_transition unconfined_r container_runtime_exec_t system_r; + allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map }; + allow container_runtime_domain unconfined_t:fifo_file setattr; + allow unconfined_domain_type container_domain:process {transition dyntransition }; + allow unconfined_t unlabeled_t:key manage_key_perms; + allow container_runtime_t unconfined_t:process transition; + allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint; + fs_fusefs_entrypoint(unconfined_domain_type) + + domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t) +') + +optional_policy(` + gen_require(` + type virtd_lxc_t; + ') + virt_read_config(container_runtime_domain) + virt_exec(container_runtime_domain) + virt_stream_connect(container_runtime_domain) + virt_stream_connect_sandbox(container_runtime_domain) + virt_exec_sandbox_files(container_runtime_domain) + virt_manage_sandbox_files(container_runtime_domain) + virt_relabel_sandbox_filesystem(container_runtime_domain) + # for lxc + virt_mounton_sandbox_file(container_runtime_domain) +# virt_attach_sandbox_tun_iface(container_runtime_domain) + allow container_runtime_domain container_domain:tun_socket relabelfrom; + virt_sandbox_entrypoint(container_runtime_domain) + allow container_runtime_domain virtd_lxc_t:unix_stream_socket { rw_stream_socket_perms connectto }; + +') + +tunable_policy(`container_connect_any',` + corenet_tcp_connect_all_ports(container_runtime_domain) + corenet_sendrecv_all_packets(container_runtime_domain) + corenet_tcp_sendrecv_all_ports(container_runtime_domain) +') + +######################################## +# +# spc local policy +# +allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint; +role system_r types spc_t; + +domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) +domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) +domtrans_pattern(container_runtime_domain, fusefs_t, spc_t) +fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file }) + +allow container_runtime_domain spc_t:process2 nnp_transition; +admin_pattern(spc_t, kubernetes_file_t) + +allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms; +allow spc_t { container_ro_file_t container_file_t }:system module_load; + +allow container_runtime_domain spc_t:process { setsched signal_perms }; +ps_process_pattern(container_runtime_domain, spc_t) +allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom }; +allow spc_t unlabeled_t:key manage_key_perms; +allow spc_t unlabeled_t:socket_class_set create_socket_perms; + +init_dbus_chat(spc_t) + +optional_policy(` + systemd_dbus_chat_machined(spc_t) + systemd_dbus_chat_logind(spc_t) +') + +optional_policy(` + dbus_chat_system_bus(spc_t) + dbus_chat_session_bus(spc_t) + dnsmasq_dbus_chat(spc_t) +') + +optional_policy(` + unconfined_domain_noaudit(spc_t) + domain_ptrace_all_domains(spc_t) + # This should eventually be in upstream policy. + # https://github.com/fedora-selinux/selinux-policy/pull/806 + allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run }; +') + +optional_policy(` + virt_transition_svirt_sandbox(spc_t, system_r) + virt_sandbox_entrypoint(spc_t) + virt_sandbox_domtrans(container_runtime_domain, spc_t) + virt_transition_svirt(spc_t, system_r) + virt_sandbox_entrypoint(container_file_t) + virt_sandbox_entrypoint(container_ro_file_t) + + gen_require(` + attribute virt_domain; + type virtd_t; + ') + container_spc_read_state(virt_domain) + container_spc_rw_pipes(virt_domain) + allow container_runtime_t virtd_t:process transition; + allow container_runtime_t virt_domain:process transition; + allow virt_domain container_file_t:file entrypoint; + allow virtd_t container_file_t:file entrypoint; + manage_files_pattern(virt_domain, container_file_t, container_file_t) + manage_dirs_pattern(virt_domain, container_file_t, container_file_t) + manage_lnk_files_pattern(virt_domain, container_file_t, container_file_t) + read_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t) + + can_exec(virt_domain, container_file_t) + + manage_files_pattern(virtd_t, container_file_t, container_file_t) + manage_dirs_pattern(virtd_t, container_file_t, container_file_t) + manage_lnk_files_pattern(virtd_t, container_file_t, container_file_t) + read_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t) + + can_exec(virtd_t, container_file_t) + + +') + +######################################## +# +# container_auth local policy +# +allow container_auth_t self:fifo_file rw_fifo_file_perms; +allow container_auth_t self:unix_stream_socket create_stream_socket_perms; +dontaudit container_auth_t self:capability net_admin; + +container_stream_connect(container_auth_t) + +manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file }) + +stream_connect_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) +list_dirs_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t) + +domain_use_interactive_fds(container_auth_t) + +kernel_read_net_sysctls(container_auth_t) + +auth_use_nsswitch(container_auth_t) + +files_read_etc_files(container_auth_t) + +miscfiles_read_localization(container_auth_t) + +sysnet_dns_name_resolve(container_auth_t) + +######################################## +# +# container_t local policy +# +# Currently this is called in virt.te +# virt_sandbox_domain_template(container) +# typealias container_t alias svirt_lxc_net_t; +gen_require(` + type container_t; + type container_file_t; +') +container_manage_files_template(container, container) + +typeattribute container_file_t container_file_type; +typeattribute container_t container_domain, container_net_domain, container_user_domain; +allow container_user_domain self:process getattr; +allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint; +allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms; +allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map }; +allow container_domain container_runtime_t:unix_dgram_socket sendto; + +allow container_domain container_runtime_domain:tun_socket relabelfrom; +allow container_domain container_runtime_domain:fd use; +allow container_runtime_domain container_domain:fd use; +allow container_domain self:socket_class_set { create_socket_perms map accept }; +allow container_domain self:lnk_file setattr; +allow container_domain self:user_namespace create; + +dontaudit container_domain self:capability fsetid; +allow container_domain self:association sendto; +allow container_domain self:dir list_dir_perms; +dontaudit container_domain self:dir { write add_name }; +allow container_domain self:file rw_file_perms; +allow container_domain self:lnk_file read_file_perms; +allow container_domain self:fifo_file create_fifo_file_perms; +allow container_domain self:filesystem associate; +allow container_domain self:key manage_key_perms; +allow container_domain self:netlink_route_socket r_netlink_socket_perms; +allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_domain self:netlink_xfrm_socket create_socket_perms; +allow container_domain self:packet_socket create_socket_perms; +allow container_domain self:passwd rootok; +allow container_domain self:peer recv; +allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate}; +allow container_domain self:sem create_sem_perms; +allow container_domain self:shm create_shm_perms; +allow container_domain self:socket create_socket_perms; +allow container_domain self:tcp_socket create_socket_perms; +allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue }; +allow container_domain self:udp_socket create_socket_perms; +allow container_domain self:unix_dgram_socket create_socket_perms; +allow container_domain self:unix_stream_socket create_stream_socket_perms; +dontaudit container_domain self:capability2 block_suspend ; +allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms }; +fs_rw_onload_sockets(container_domain) +fs_fusefs_entrypoint(container_domain) + + +container_read_share_files(container_domain) +container_exec_share_files(container_domain) +container_use_ptys(container_domain) +container_spc_stream_connect(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) +dev_dontaudit_mounton_sysfs(container_domain) +dev_dontaudit_mounton_sysfs(container_domain) +fs_mount_tmpfs(container_domain) + +dontaudit container_domain container_runtime_tmpfs_t:dir read; +allow container_domain container_runtime_tmpfs_t:dir mounton; + +dev_getattr_mtrr_dev(container_domain) +dev_list_sysfs(container_domain) +allow container_domain sysfs_t:dir watch; + +dev_rw_kvm(container_domain) +dev_rwx_zero(container_domain) + +allow container_domain self:key manage_key_perms; +dontaudit container_domain container_domain:key search; + +allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow container_domain self:fifo_file manage_file_perms; +allow container_domain self:msg all_msg_perms; +allow container_domain self:sem create_sem_perms; +allow container_domain self:shm create_shm_perms; +allow container_domain self:msgq create_msgq_perms; +allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow container_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow container_domain self:passwd rootok; +allow container_domain self:filesystem associate; +allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt }; + +kernel_getattr_proc(container_domain) +kernel_list_all_proc(container_domain) +kernel_read_all_sysctls(container_domain) +kernel_dontaudit_write_kernel_sysctl(container_domain) +kernel_read_network_state(container_domain) +kernel_rw_net_sysctls(container_domain) +kernel_rw_unix_sysctls(container_domain) +kernel_dontaudit_search_kernel_sysctl(container_domain) +kernel_dontaudit_access_check_proc(container_domain) +kernel_dontaudit_setattr_proc_files(container_domain) +kernel_dontaudit_setattr_proc_dirs(container_domain) +kernel_dontaudit_write_usermodehelper_state(container_domain) +kernel_read_irq_sysctls(container_domain) +kernel_get_sysvipc_info(container_domain) + +fs_getattr_all_fs(container_domain) +fs_rw_inherited_tmpfs_files(container_domain) +fs_read_tmpfs_symlinks(container_domain) +fs_search_tmpfs(container_domain) +fs_list_hugetlbfs(container_domain) +fs_manage_hugetlbfs_files(container_domain) +fs_exec_hugetlbfs_files(container_domain) +fs_dontaudit_getattr_all_dirs(container_domain) +fs_dontaudit_getattr_all_files(container_domain) +fs_read_nsfs_files(container_domain) + +term_use_all_inherited_terms(container_domain) + +userdom_use_user_ptys(container_domain) +userdom_rw_inherited_user_pipes(container_domain) + +domain_user_exemption_target(container_t) +domain_dontaudit_link_all_domains_keyrings(container_domain) +domain_dontaudit_search_all_domains_keyrings(container_domain) +domain_dontaudit_search_all_domains_state(container_domain) + +virt_sandbox_net_domain(container_t) + +logging_send_syslog_msg(container_t) + +gen_require(` + type container_file_t; +') +# fs_associate_cgroupfs(container_file_t) +gen_require(` + type cgroup_t; +') + +dev_read_sysfs(container_domain) +dev_read_mtrr(container_domain) +dev_mounton_sysfs(container_t) + +fs_mounton_cgroup(container_t) +fs_unmount_cgroup(container_t) + +dev_read_rand(container_domain) +dev_write_rand(container_domain) +dev_read_urand(container_domain) +dev_write_urand(container_domain) + +files_read_kernel_modules(container_domain) + +allow container_file_t cgroup_t:filesystem associate; +term_pty(container_file_t) +logging_log_file(container_file_t) +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_t self:capability sys_admin; + allow container_t self:cap_userns sys_admin; +') + +allow container_domain self:cap_userns sys_admin; +allow container_domain self:process { getsession execstack execmem }; + +corenet_unconfined(container_t) + +optional_policy(` + virt_default_capabilities(container_t) +') +kernel_rw_rpc_sysctls(container_domain) +kernel_rw_net_sysctls(container_domain) +kernel_read_messages(container_t) +kernel_read_network_state(container_domain) +kernel_dontaudit_write_proc_files(container_domain) + +# Container Net Domain +corenet_tcp_bind_generic_node(container_net_domain) +corenet_udp_bind_generic_node(container_net_domain) +corenet_raw_bind_generic_node(container_net_domain) +corenet_tcp_sendrecv_all_ports(container_net_domain) +corenet_udp_sendrecv_all_ports(container_net_domain) +corenet_udp_bind_all_ports(container_net_domain) +corenet_tcp_bind_all_ports(container_net_domain) +corenet_tcp_connect_all_ports(container_net_domain) + +allow container_net_domain self:udp_socket create_socket_perms; +allow container_net_domain self:tcp_socket create_stream_socket_perms; +allow container_net_domain self:tun_socket create_socket_perms; +allow container_net_domain self:netlink_route_socket create_netlink_socket_perms; +allow container_net_domain self:sctp_socket listen; +allow container_net_domain self:packet_socket create_socket_perms; +allow container_net_domain self:socket create_socket_perms; +allow container_net_domain self:rawip_socket create_stream_socket_perms; +allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms; + + +kernel_unlabeled_domtrans(container_runtime_domain, spc_t) +kernel_unlabeled_entry_type(spc_t) +allow container_runtime_domain unlabeled_t:key manage_key_perms; +#kernel_dontaudit_write_usermodehelper_state(container_t) +gen_require(` + type usermodehelper_t; +') +dontaudit container_domain usermodehelper_t:file write; + +fs_read_cgroup_files(container_domain) +fs_list_cgroup_dirs(container_domain) + +sysnet_read_config(container_domain) + +allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; + +optional_policy(` + gssproxy_stream_connect(container_domain) +') + +optional_policy(` + rpm_read_cache(container_domain) + rpm_read_db(container_domain) + rpm_transition_script(spc_t, system_r) +') + +optional_policy(` + sssd_stream_connect(container_domain) +') + +optional_policy(` + systemd_dbus_chat_logind(container_domain) +') + +tunable_policy(`container_manage_cgroup',` + fs_manage_cgroup_dirs(container_domain) + fs_manage_cgroup_files(container_domain) +') + +fs_manage_fusefs_named_sockets(container_domain) +fs_manage_fusefs_named_pipes(container_domain) +fs_manage_fusefs_dirs(container_domain) +fs_manage_fusefs_files(container_domain) +fs_manage_fusefs_symlinks(container_domain) +fs_manage_fusefs_named_sockets(container_domain) +fs_manage_fusefs_named_pipes(container_domain) +fs_exec_fusefs_files(container_domain) +fs_mount_xattr_fs(container_domain) +fs_unmount_xattr_fs(container_domain) +fs_remount_xattr_fs(container_domain) +fs_mount_fusefs(container_domain) +fs_unmount_fusefs(container_domain) +fs_mounton_fusefs(container_domain) +storage_rw_fuse(container_domain) +allow container_domain fusefs_t:file { mounton execmod }; +allow container_domain fusefs_t:filesystem remount; + +tunable_policy(`virt_sandbox_use_netlink',` + allow container_domain self:netlink_socket create_socket_perms; + allow container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +', ` + logging_dontaudit_send_audit_msgs(container_domain) +') + +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(container_t) +') + +optional_policy(` + gen_require(` + type sysctl_kernel_ns_last_pid_t; + ') + + kernel_search_network_sysctl(container_domain) + allow container_domain sysctl_kernel_ns_last_pid_t:file rw_file_perms; + allow container_domain sysctl_kernel_ns_last_pid_t:dir list_dir_perms; +') + +tunable_policy(`virt_sandbox_use_all_caps',` + allow container_domain self:capability ~{ sys_module }; + allow container_domain self:capability2 ~{ mac_override mac_admin }; + allow container_domain self:cap_userns ~{ sys_module }; + allow container_domain self:cap2_userns ~{ mac_override mac_admin }; +') + +tunable_policy(`virt_sandbox_use_mknod',` + allow container_domain self:capability mknod; + allow container_domain self:cap_userns mknod; +') + +optional_policy(` + gen_require(` + role unconfined_r; + type unconfined_service_t; + type unconfined_service_exec_t; + ') + + virt_transition_svirt_sandbox(unconfined_service_t, system_r) + container_filetrans_named_content(unconfined_service_t) + container_runtime_domtrans(unconfined_service_t) + role_transition unconfined_r unconfined_service_exec_t system_r; + allow container_runtime_domain unconfined_service_t:fifo_file setattr; + allow unconfined_service_t container_domain:process dyntransition; + allow unconfined_service_t unlabeled_t:key manage_key_perms; +') + +optional_policy(` + gen_require(` + attribute unconfined_domain_type; + ') + + container_filetrans_named_content(unconfined_domain_type) + allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition }; + allow unconfined_domain_type unlabeled_t:key manage_key_perms; +') + +# +# container_userns_t policy +# +container_domain_template(container_userns, container) + +typeattribute container_userns_t sandbox_net_domain, container_user_domain; +dev_mount_sysfs_fs(container_userns_t) +dev_mounton_sysfs(container_userns_t) + +fs_mount_tmpfs(container_userns_t) +fs_relabelfrom_tmpfs(container_userns_t) +fs_remount_cgroup(container_userns_t) + +kernel_mount_proc(container_userns_t) +kernel_mounton_proc(container_userns_t) + +term_use_generic_ptys(container_userns_t) +term_setattr_generic_ptys(container_userns_t) +term_mount_pty_fs(container_userns_t) + +allow container_userns_t self:capability ~{ sys_module }; +allow container_userns_t self:capability2 ~{ mac_override mac_admin }; +allow container_userns_t self:cap_userns ~{ sys_module }; +allow container_userns_t self:cap2_userns ~{ mac_override mac_admin }; +allow container_userns_t self:capability mknod; +allow container_userns_t self:cap_userns mknod; + +optional_policy(` + gen_require(` + type proc_t, proc_kcore_t; + type sysctl_t, sysctl_irq_t; + ') + + allow container_userns_t proc_t:filesystem { remount }; + allow container_userns_t proc_kcore_t:file mounton; + allow container_userns_t sysctl_irq_t:dir mounton; + allow container_userns_t sysctl_t:dir mounton; + allow container_userns_t sysctl_t:file mounton; +') + + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_userns_t self:capability sys_admin; + allow container_userns_t self:cap_userns sys_admin; +') + +# Container Logreader +container_domain_template(container_logreader, container) +typeattribute container_logreader_t container_net_domain; +logging_read_all_logs(container_logreader_t) +# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges +allow container_logreader_t logfile:lnk_file read_lnk_file_perms; +logging_read_audit_log(container_logreader_t) +logging_list_logs(container_logreader_t) + +# Container Logwriter +container_domain_template(container_logwriter, container) +typeattribute container_logwriter_t container_net_domain; +logging_read_all_logs(container_logwriter_t) +manage_files_pattern(container_logwriter_t, logfile, logfile) +manage_dirs_pattern(container_logwriter_t, logfile, logfile) +manage_lnk_files_pattern(container_logwriter_t, logfile, logfile) +logging_manage_audit_log(container_logwriter_t) + +optional_policy(` + gen_require(` + type sysadm_t, staff_t, user_t; + role sysadm_r, staff_r, user_r; + attribute userdomain; + ') + + can_exec(userdomain, container_runtime_exec_t) + container_manage_files(userdomain) + container_manage_share_dirs(userdomain) + container_manage_share_files(userdomain) + + allow userdomain conmon_exec_t:file entrypoint; + container_runtime_run(sysadm_t, sysadm_r) + role sysadm_r types container_domain; + role sysadm_r types spc_t; + + container_runtime_run(staff_t, staff_r) + role staff_r types container_user_domain; + + allow userdomain self:cap_userns ~{ sys_module }; + container_read_state(userdomain) + allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh }; + container_runtime_run(user_t, user_r) + role user_r types container_user_domain; + + staff_role_change_to(system_r) + + allow staff_t container_runtime_t:process signal_perms; + allow staff_t container_domain:process signal_perms; + allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt }; +') + +gen_require(` + type init_t; +') +container_manage_lib_files(init_t) +container_manage_lib_dirs(init_t) +container_manage_share_files(init_t) +container_manage_share_dirs(init_t) +container_filetrans_named_content(init_t) +container_runtime_read_tmpfs_files(init_t) + +gen_require(` + attribute device_node; + type device_t; + attribute sysctl_type; +') +dontaudit container_domain device_node:chr_file setattr; +dontaudit container_domain sysctl_type:file write; +allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt }; + +allow container_t proc_t:filesystem remount; + +# Container kvm - Policy for running kata containers +container_domain_template(container_kvm, container) +typeattribute container_kvm_t container_net_domain, container_user_domain; + +type container_kvm_var_run_t; +files_pid_file(container_kvm_var_run_t) +filetrans_pattern(container_kvm_t, container_var_run_t, container_kvm_var_run_t, {file sock_file dir}) +filetrans_pattern(container_runtime_t, container_var_run_t, container_kvm_var_run_t, dir, "kata-containers") + +manage_dirs_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_fifo_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_sock_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_lnk_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file }) +files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file }) +allow container_kvm_t container_kvm_var_run_t:{file dir} mounton; + +allow container_kvm_t container_runtime_t:unix_stream_socket rw_stream_socket_perms; + +container_stream_connect(container_kvm_t) + +allow container_kvm_t container_runtime_t:tun_socket attach_queue; + +dev_rw_inherited_vhost(container_kvm_t) +dev_rw_vfio_dev(container_kvm_t) + +corenet_rw_inherited_tun_tap_dev(container_kvm_t) +corecmd_exec_shell(container_kvm_t) +corecmd_exec_bin(container_kvm_t) +corecmd_bin_entry_type(container_kvm_t) + +# virtiofs causes these AVC messages. +kernel_mount_proc(container_kvm_t) +kernel_mounton_proc(container_kvm_t) +kernel_unmount_proc(container_kvm_t) +kernel_dgram_send(container_kvm_t) +files_mounton_rootfs(container_kvm_t) + +auth_read_passwd(container_kvm_t) +logging_send_syslog_msg(container_kvm_t) + +optional_policy(` + qemu_entry_type(container_kvm_t) + qemu_exec(container_kvm_t) +') + +manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t) + +dev_rw_kvm(container_kvm_t) + +sssd_read_public_files(container_kvm_t) + +# Container init - Policy for running systemd based containers +container_domain_template(container_init, container) +typeattribute container_init_t container_init_domain, container_net_domain, container_user_domain; + +corenet_unconfined(container_init_t) + +allow container_init_t device_t:filesystem { remount unmount }; + +dev_mounton_sysfs(container_init_domain) + +fs_manage_cgroup_dirs(container_init_domain) +fs_manage_cgroup_files(container_init_domain) +fs_mounton_cgroup(container_init_domain) +fs_unmount_cgroup(container_init_domain) +fs_unmount_tmpfs(container_init_domain) + +kernel_mounton_proc(container_init_t) +kernel_unmount_proc(container_init_t) + +logging_send_syslog_msg(container_init_t) + +allow container_init_domain proc_t:filesystem remount; + +optional_policy(` + virt_default_capabilities(container_init_t) +') + +tunable_policy(`container_use_devices',` + allow container_domain device_node:chr_file rw_chr_file_perms; + allow container_domain device_node:blk_file rw_blk_file_perms; +') + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_init_t self:capability sys_admin; + allow container_init_t self:cap_userns sys_admin; +') + +allow container_init_domain self:netlink_audit_socket nlmsg_relay; + +# container_engine_t is for running a container engine within a container +# +container_domain_template(container_engine, container) +typeattribute container_engine_t container_net_domain; + +fs_mounton_cgroup(container_engine_t) +fs_unmount_cgroup(container_engine_t) +fs_manage_cgroup_dirs(container_engine_t) +fs_manage_cgroup_files(container_engine_t) +fs_mount_tmpfs(container_engine_t) +fs_write_cgroup_files(container_engine_t) + +allow container_engine_t proc_t:file mounton; +allow container_engine_t sysctl_t:file mounton; +allow container_engine_t sysfs_t:filesystem remount; + +kernel_mount_proc(container_engine_t) +kernel_mounton_core_if(container_engine_t) +kernel_mounton_proc(container_engine_t) +kernel_mounton_systemd_ProtectKernelTunables(container_engine_t) + +term_mount_pty_fs(container_engine_t) + +type kubelet_t, container_runtime_domain; +domain_type(kubelet_t) + +optional_policy(` + gen_require(` + role unconfined_r; + ') + role unconfined_r types kubelet_t; + unconfined_domain(kubelet_t) +') + + +type kubelet_exec_t; +application_executable_file(kubelet_exec_t) +can_exec(container_runtime_t, kubelet_exec_t) +allow kubelet_t kubelet_exec_t:file entrypoint; + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh) +') +mls_trusted_object(kubelet_t) + +init_daemon_domain(kubelet_t, kubelet_exec_t) + +admin_pattern(kubelet_t, kubernetes_file_t) + +optional_policy(` + gen_require(` + type sysadm_t; + role sysadm_r; + attribute userdomain; + role unconfined_r; + ') + + container_kubelet_run(sysadm_t, sysadm_r) + + unconfined_run_to(kubelet_t, kubelet_exec_t) + role_transition unconfined_r kubelet_exec_t system_r; +') + +# Standard container which needs to be allowed to use any device +container_domain_template(container_device, container) +allow container_device_t device_node:chr_file rw_chr_file_perms; + +# Standard container which needs to be allowed to use any device and +# communicate with kubelet +container_domain_template(container_device_plugin, container) +allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; +dev_rw_sysfs(container_device_plugin_t) +container_kubelet_stream_connect(container_device_plugin_t) + +# Standard container which needs to be allowed to use any device and +# modify kubelet configuration +container_domain_template(container_device_plugin_init, container) +allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms; +dev_rw_sysfs(container_device_plugin_init_t) +manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) +manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) +manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) + +optional_policy(` + gen_require(` + type syslogd_t; + ') + + allow syslogd_t container_runtime_tmpfs_t:file { read write }; + logging_send_syslog_msg(container_runtime_t) +') diff --git a/selinux-policy-20230214.tar.xz b/selinux-policy-20230214.tar.xz deleted file mode 100644 index a99d60c..0000000 --- a/selinux-policy-20230214.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9693ed2c5547a04fe58227ee5f6db761b68cc2f4c7267492220e33678788a83f -size 752564 diff --git a/selinux-policy-20230316.tar.xz b/selinux-policy-20230316.tar.xz new file mode 100644 index 0000000..f813276 --- /dev/null +++ b/selinux-policy-20230316.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4b5384b23b8bf5fe9cbd1b3da67c54a08c99b029b65b2005f345951b8763fd8a +size 752624 diff --git a/selinux-policy.changes b/selinux-policy.changes index 2656fda..f2414e7 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com + +- Update to version 20230316: + * prevent labeling of overlayfs filesystems based on the /var/lib/overlay + path + * allow kernel_t to relabel etc_t files + * allow kernel_t to relabel sysnet config files + * allow kernel_t to relabel systemd hwdb etc files + * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files + * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply + to files and lnk_files. lnk_files are commonly used in SUSE to allow easy + management of config files + * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic + interfaces to allow labeling on etc_t, not on the broader configfiles + attribute + * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The + watch permissions reported are already fixed in a current policy. +- Reinstate update.sh and remove container-selinux from the service. + Having both repos in there causes issues and update.sh makes the update + process easier in general + +------------------------------------------------------------------- +Tue Mar 7 08:49:05 UTC 2023 - Johannes Segitz + +- Remove erroneous SUSE man page. Will not be created with the + 3.5 toolchain + ------------------------------------------------------------------- Tue Feb 14 21:41:54 UTC 2023 - Hu diff --git a/selinux-policy.spec b/selinux-policy.spec index 06ff334..3f3482d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,11 +33,13 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20230214 +Version: 20230316 Release: 0 Source0: %{name}-%{version}.tar.xz -Source1: container-selinux-%{version}.tar.xz -Source2: selinux-policy-rpmlintrc +Source1: container.fc +Source2: container.te +Source3: container.if +Source4: selinux-policy-rpmlintrc Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf @@ -338,9 +340,9 @@ exit 0 # dirty hack for container-selinux, because selinux-policy won't build without it # upstream does not want to include it in main policy tree: # see discussion in https://github.com/containers/container-selinux/issues/186 -%setup -T -D -b 1 -cp ../container-selinux-%{version}/container.* policy/modules/services/ -rm -rf ../container-selinux-%{version} +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do + cp $i policy/modules/services/ +done %build diff --git a/update.sh b/update.sh new file mode 100644 index 0000000..823357d --- /dev/null +++ b/update.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +date=$(date '+%Y%m%d') +base_name_pattern='selinux-policy-*.tar.xz' + +echo Update to $date + +old_tar_file=$(ls -1 $base_name_pattern) + +osc service manualrun + +rm -rf container-selinux +git clone --depth 1 https://github.com/containers/container-selinux.git +rm -f container.* +mv container-selinux/container.* . +rm -rf container-selinux + +# delete old files. Might need a better sanity check +tar_cnt=$(ls -1 $base_name_pattern | wc -l) +if [ $tar_cnt -gt 1 ]; then + echo delte old file $old_tar_file + rm "$old_tar_file" + osc addremove +fi + +osc status +