Hu
9dc19e60e0
- Enable sap module - Add equivalency in file_contexts.subs_dist * /bin /usr/bin * /sbin /usr/bin * /usr/sbin /usr/bin - Update to version 20240710: * Change fc in rebootmgr module for /sbin -> /usr/bin * Change fc in rpm module for /sbin -> /usr/bin * Change fc in rsync module for /sbin -> /usr/bin * Change fc in wicked module for /sbin -> /usr/bin * Confine libvirt-dbus * Allow virtqemud the kill capability in user namespace * Allow rshim get options of the netlink class for KOBJECT_UEVENT family * Allow dhcpcd the kill capability * Allow systemd-networkd list /var/lib/systemd/network * Allow sysadm_t run systemd-nsresourced bpf programs * Update policy for systemd generators interactions * Allow create memory.pressure files with cgroup_memory_pressure_t * Add support for libvirt hooks * Allow certmonger read and write tpm devices * Allow all domains to connect to systemd-nsresourced over a unix socket * Allow systemd-machined read the vsock device * Update policy for systemd generators * Allow ptp4l_t request that the kernel load a kernel module * Allow sbd to trace processes in user namespace * Allow request-key execute scripts * Update policy for haproxyd * Update policy for systemd-nsresourced * Correct sbin-related file context entries * Allow login_userdomain execute systemd-tmpfiles in the caller domain * Allow virt_driver_domain read files labeled unconfined_t * Allow virt_driver_domain dbus chat with policykit * Allow virtqemud manage nfs files when virt_use_nfs boolean is on * Add rules for interactions between generators * Label memory.pressure files with cgroup_memory_pressure_t * Revert "Allow some systemd services write to cgroup files" * Update policy for systemd-nsresourced * Label /usr/bin/ntfsck with fsadm_exec_t * Allow systemd_fstab_generator_t read tmpfs files * Update policy for systemd-nsresourced * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin * Remove a few lines duplicated between {dkim,milter}.fc * Alias /bin → /usr/bin and remove redundant paths * Drop duplicate line for /usr/sbin/unix_chkpwd * Drop duplicate paths for /usr/sbin * Update systemd-generator policy * Remove permissive domain for bootupd_t * Remove permissive domain for coreos_installer_t * Remove permissive domain for afterburn_t * Add the sap module to modules.conf * Move unconfined_domain(sap_unconfined_t) to an optional block * Create the sap module * Allow systemd-coredumpd sys_admin and sys_resource capabilities * Allow systemd-coredump read nsfs files * Allow generators auto file transition only for plain files * Allow systemd-hwdb write to the kernel messages device * Escape "interface" as a file name in a virt filetrans pattern * Allow gnome-software work for login_userdomain * Allow systemd-machined manage runtime sockets * Revert "Allow systemd-machined manage runtime sockets" * Allow postfix_domain connect to postgresql over a unix socket * Dontaudit systemd-coredump sys_admin capability - Update container-selinux OBS-URL: https://build.opensuse.org/request/show/1186574 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=233
1603 lines
61 KiB
Plaintext
1603 lines
61 KiB
Plaintext
policy_module(container, 2.232.1)
|
|
|
|
gen_require(`
|
|
class passwd rootok;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether container can
|
|
## connect to all TCP ports.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(container_connect_any, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow all container domains to read cert files and directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(container_read_certs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether sshd can launch container engines
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sshd_launch_containers, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow containers to use any device volume mounted into container
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(container_use_devices, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(container_use_xserver_devices, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow containers to use any dri device volume mounted into container
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(container_use_dri_devices, true)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow sandbox containers to manage cgroup (systemd)
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(container_manage_cgroup, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether container can
|
|
## use ceph file system
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(container_use_cephfs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether container can
|
|
## use ecrypt file system
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(container_use_ecryptfs, false)
|
|
|
|
attribute container_runtime_domain;
|
|
container_runtime_domain_template(container_runtime)
|
|
typealias container_runtime_t alias docker_t;
|
|
|
|
type container_runtime_exec_t alias docker_exec_t;
|
|
can_exec(container_runtime_t,container_runtime_exec_t)
|
|
attribute container_domain;
|
|
attribute container_user_domain;
|
|
attribute container_net_domain;
|
|
attribute container_init_domain;
|
|
attribute container_file_type;
|
|
allow container_runtime_domain container_domain:process { dyntransition transition };
|
|
allow container_domain container_runtime_domain:process sigchld;
|
|
allow container_runtime_domain container_domain:process2 { nnp_transition nosuid_transition };
|
|
dontaudit container_runtime_domain container_domain:process { noatsecure rlimitinh siginh };
|
|
|
|
type conmon_exec_t;
|
|
application_executable_file(conmon_exec_t)
|
|
can_exec(container_runtime_t, conmon_exec_t)
|
|
allow container_runtime_domain conmon_exec_t:file entrypoint;
|
|
ifdef(`enable_mcs',`
|
|
range_transition container_runtime_t conmon_exec_t:process s0;
|
|
')
|
|
ifdef(`enable_mls',`
|
|
range_transition container_runtime_t conmon_exec_t:process s0;
|
|
')
|
|
|
|
type spc_t;
|
|
domain_type(spc_t)
|
|
role system_r types spc_t;
|
|
|
|
type container_auth_t alias docker_auth_t;
|
|
type container_auth_exec_t alias docker_auth_exec_t;
|
|
init_daemon_domain(container_auth_t, container_auth_exec_t)
|
|
|
|
type spc_var_run_t;
|
|
files_pid_file(spc_var_run_t)
|
|
|
|
type kubernetes_file_t;
|
|
files_config_file(kubernetes_file_t)
|
|
|
|
type container_var_lib_t alias docker_var_lib_t;
|
|
files_type(container_var_lib_t)
|
|
|
|
type container_home_t alias docker_home_t;
|
|
userdom_user_home_content(container_home_t)
|
|
|
|
type container_config_t alias docker_config_t;
|
|
files_config_file(container_config_t)
|
|
|
|
type container_lock_t alias docker_lock_t;
|
|
files_lock_file(container_lock_t)
|
|
|
|
type container_log_t alias docker_log_t;
|
|
logging_log_file(container_log_t)
|
|
|
|
type container_runtime_tmp_t alias docker_tmp_t;
|
|
files_tmp_file(container_runtime_tmp_t)
|
|
|
|
type container_runtime_tmpfs_t alias docker_tmpfs_t;
|
|
files_tmpfs_file(container_runtime_tmpfs_t)
|
|
|
|
type container_var_run_t alias docker_var_run_t;
|
|
files_pid_file(container_var_run_t)
|
|
|
|
type container_plugin_var_run_t alias docker_plugin_var_run_t;
|
|
files_pid_file(container_plugin_var_run_t)
|
|
|
|
type container_unit_file_t alias docker_unit_file_t;
|
|
systemd_unit_file(container_unit_file_t)
|
|
|
|
type container_devpts_t alias docker_devpts_t;
|
|
term_pty(container_devpts_t)
|
|
|
|
typealias container_ro_file_t alias { container_share_t docker_share_t };
|
|
typeattribute container_ro_file_t container_file_type, user_home_type;
|
|
files_mountpoint(container_ro_file_t)
|
|
userdom_user_home_content(container_ro_file_t)
|
|
|
|
type container_port_t alias docker_port_t;
|
|
corenet_port(container_port_t)
|
|
|
|
init_daemon_domain(container_runtime_t, container_runtime_exec_t)
|
|
#ifdef(`enable_mcs',`
|
|
# init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mcs_systemhigh)
|
|
#')
|
|
|
|
ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
mls_trusted_object(container_runtime_t)
|
|
|
|
|
|
########################################
|
|
#
|
|
# container local policy
|
|
#
|
|
allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource };
|
|
allow container_runtime_domain self:tun_socket { create_socket_perms relabelto };
|
|
allow container_runtime_domain self:process ~setcurrent;
|
|
allow container_runtime_domain self:passwd rootok;
|
|
allow container_runtime_domain self:fd use;
|
|
allow container_runtime_domain self:dir mounton;
|
|
allow container_runtime_domain self:file mounton;
|
|
|
|
allow container_runtime_domain self:fifo_file rw_fifo_file_perms;
|
|
allow container_runtime_domain self:fifo_file manage_file_perms;
|
|
allow container_runtime_domain self:msg all_msg_perms;
|
|
allow container_runtime_domain self:sem create_sem_perms;
|
|
allow container_runtime_domain self:shm create_shm_perms;
|
|
allow container_runtime_domain self:msgq create_msgq_perms;
|
|
allow container_runtime_domain self:unix_stream_socket create_stream_socket_perms;
|
|
allow container_runtime_domain self:tcp_socket create_stream_socket_perms;
|
|
allow container_runtime_domain self:udp_socket create_socket_perms;
|
|
allow container_runtime_domain self:capability2 block_suspend;
|
|
allow container_runtime_domain container_port_t:tcp_socket name_bind;
|
|
allow container_runtime_domain port_t:icmp_socket name_bind;
|
|
allow container_runtime_domain self:filesystem associate;
|
|
allow container_runtime_domain self:packet_socket create_socket_perms;
|
|
allow container_runtime_domain self:socket create_socket_perms;
|
|
allow container_runtime_domain self:rawip_socket create_stream_socket_perms;
|
|
allow container_runtime_domain self:netlink_netfilter_socket create_socket_perms;
|
|
allow container_runtime_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow container_runtime_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
|
allow container_runtime_domain self:netlink_socket create_socket_perms;
|
|
|
|
corenet_tcp_bind_generic_node(container_runtime_domain)
|
|
corenet_udp_bind_generic_node(container_runtime_domain)
|
|
corenet_raw_bind_generic_node(container_runtime_domain)
|
|
corenet_tcp_sendrecv_all_ports(container_runtime_domain)
|
|
corenet_udp_sendrecv_all_ports(container_runtime_domain)
|
|
corenet_udp_bind_all_ports(container_runtime_domain)
|
|
corenet_tcp_bind_all_ports(container_runtime_domain)
|
|
corenet_tcp_connect_all_ports(container_runtime_domain)
|
|
corenet_sctp_bind_all_ports(container_net_domain)
|
|
corenet_sctp_connect_all_ports(container_net_domain)
|
|
corenet_rw_tun_tap_dev(container_runtime_domain)
|
|
|
|
container_auth_stream_connect(container_runtime_domain)
|
|
|
|
manage_files_pattern(container_runtime_domain, container_file_type, container_file_type)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_file_type, container_file_type)
|
|
manage_blk_files_pattern(container_runtime_domain, container_file_type, container_file_type)
|
|
allow container_runtime_domain container_domain:key manage_key_perms;
|
|
manage_sock_files_pattern(container_runtime_domain, container_file_type, container_file_type)
|
|
allow container_runtime_domain container_file_type:dir_file_class_set {relabelfrom relabelto execmod};
|
|
allow container_runtime_domain container_file_type:dir_file_class_set mmap_file_perms;
|
|
|
|
manage_files_pattern(container_runtime_domain, container_home_t, container_home_t)
|
|
manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t)
|
|
userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container")
|
|
userdom_manage_user_home_content(container_runtime_domain)
|
|
userdom_map_user_home_files(container_runtime_t)
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t)
|
|
manage_files_pattern(container_runtime_domain, container_config_t, container_config_t)
|
|
files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers")
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t)
|
|
manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t)
|
|
files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc")
|
|
files_manage_generic_locks(container_runtime_domain)
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
|
|
manage_files_pattern(container_runtime_domain, container_log_t, container_log_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t)
|
|
|
|
logging_read_syslog_pid(container_runtime_domain)
|
|
logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file })
|
|
|
|
allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto };
|
|
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log")
|
|
allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint;
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
|
|
manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
|
|
manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
|
|
manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
|
|
manage_fifo_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
|
|
manage_chr_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
|
|
manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
|
|
allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom;
|
|
can_exec(container_runtime_domain, container_runtime_tmpfs_t)
|
|
fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, dir_file_class_set)
|
|
allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton;
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto };
|
|
can_exec(container_runtime_domain, container_ro_file_t)
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
|
|
|
|
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init")
|
|
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay")
|
|
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2")
|
|
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "config.env")
|
|
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hostname")
|
|
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hosts")
|
|
|
|
#container_filetrans_named_content(container_runtime_domain)
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
|
|
allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
|
|
files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file })
|
|
files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers")
|
|
|
|
manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
|
|
manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
|
|
manage_fifo_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
|
|
manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
|
|
manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
|
|
files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
|
|
files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
|
|
allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;
|
|
|
|
allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
|
|
term_create_pty(container_runtime_domain, container_devpts_t)
|
|
term_use_all_ttys(container_runtime_domain)
|
|
term_use_all_inherited_terms(container_runtime_domain)
|
|
|
|
mls_file_read_to_clearance(container_runtime_t)
|
|
mls_file_relabel_to_clearance(container_runtime_t)
|
|
mls_file_write_to_clearance(container_runtime_t)
|
|
mls_process_read_to_clearance(container_runtime_t)
|
|
mls_process_write_to_clearance(container_runtime_t)
|
|
mls_socket_read_to_clearance(container_runtime_t)
|
|
mls_socket_write_to_clearance(container_runtime_t)
|
|
mls_sysvipc_read_to_clearance(container_runtime_t)
|
|
mls_sysvipc_write_to_clearance(container_runtime_t)
|
|
|
|
kernel_read_network_state(container_runtime_domain)
|
|
kernel_read_all_sysctls(container_runtime_domain)
|
|
kernel_rw_net_sysctls(container_runtime_domain)
|
|
kernel_setsched(container_runtime_domain)
|
|
kernel_rw_all_sysctls(container_runtime_domain)
|
|
kernel_mounton_all_proc(container_runtime_domain)
|
|
fs_getattr_all_fs(container_runtime_domain)
|
|
|
|
domain_obj_id_change_exemption(container_runtime_t)
|
|
domain_subj_id_change_exemption(container_runtime_t)
|
|
domain_role_change_exemption(container_runtime_t)
|
|
domain_use_interactive_fds(container_runtime_domain)
|
|
domain_dontaudit_read_all_domains_state(container_runtime_domain)
|
|
domain_sigchld_all_domains(container_runtime_domain)
|
|
domain_use_interactive_fds(container_runtime_domain)
|
|
domain_read_all_domains_state(container_runtime_domain)
|
|
domain_getattr_all_domains(container_runtime_domain)
|
|
|
|
userdom_map_tmp_files(container_runtime_domain)
|
|
|
|
anaconda_domtrans_install(container_runtime_domain)
|
|
|
|
optional_policy(`
|
|
gnome_map_generic_data_home_files(container_runtime_domain)
|
|
allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
|
|
')
|
|
|
|
gen_require(`
|
|
attribute domain;
|
|
')
|
|
|
|
allow container_runtime_domain domain:fifo_file rw_fifo_file_perms;
|
|
allow container_runtime_domain domain:fd use;
|
|
|
|
corecmd_exec_bin(container_runtime_domain)
|
|
corecmd_exec_shell(container_runtime_domain)
|
|
corecmd_exec_all_executables(container_runtime_domain)
|
|
corecmd_bin_entry_type(container_runtime_domain)
|
|
corecmd_shell_entry_type(container_runtime_domain)
|
|
|
|
corenet_tcp_bind_generic_node(container_runtime_domain)
|
|
corenet_tcp_sendrecv_generic_if(container_runtime_domain)
|
|
corenet_tcp_sendrecv_generic_node(container_runtime_domain)
|
|
corenet_tcp_sendrecv_generic_port(container_runtime_domain)
|
|
corenet_tcp_bind_all_ports(container_runtime_domain)
|
|
corenet_tcp_connect_http_port(container_runtime_domain)
|
|
corenet_tcp_connect_commplex_main_port(container_runtime_domain)
|
|
corenet_udp_sendrecv_generic_if(container_runtime_domain)
|
|
corenet_udp_sendrecv_generic_node(container_runtime_domain)
|
|
corenet_udp_sendrecv_all_ports(container_runtime_domain)
|
|
corenet_udp_bind_generic_node(container_runtime_domain)
|
|
corenet_udp_bind_all_ports(container_runtime_domain)
|
|
|
|
files_read_kernel_modules(container_runtime_domain)
|
|
files_read_config_files(container_runtime_domain)
|
|
files_dontaudit_getattr_all_dirs(container_runtime_domain)
|
|
files_dontaudit_getattr_all_files(container_runtime_domain)
|
|
files_execmod_all_files(container_runtime_domain)
|
|
files_search_all(container_runtime_domain)
|
|
files_read_usr_symlinks(container_runtime_domain)
|
|
files_search_locks(container_runtime_domain)
|
|
files_dontaudit_unmount_all_mountpoints(container_runtime_domain)
|
|
|
|
fs_read_cgroup_files(container_runtime_domain)
|
|
fs_read_tmpfs_symlinks(container_runtime_domain)
|
|
fs_search_all(container_runtime_domain)
|
|
fs_getattr_all_fs(container_runtime_domain)
|
|
fs_rw_onload_sockets(container_runtime_domain)
|
|
|
|
auth_dontaudit_getattr_shadow(container_runtime_domain)
|
|
|
|
init_read_state(container_runtime_domain)
|
|
init_status(container_runtime_domain)
|
|
init_stop(container_runtime_domain)
|
|
init_start(container_runtime_domain)
|
|
init_manage_config_transient_files(container_runtime_domain)
|
|
|
|
logging_send_audit_msgs(container_runtime_domain)
|
|
|
|
miscfiles_read_localization(container_runtime_domain)
|
|
miscfiles_dontaudit_access_check_cert(container_runtime_domain)
|
|
miscfiles_dontaudit_setattr_fonts_cache_dirs(container_runtime_domain)
|
|
miscfiles_read_fonts(container_runtime_domain)
|
|
miscfiles_read_hwdata(container_runtime_domain)
|
|
fs_relabel_cgroup_dirs(container_runtime_domain)
|
|
# fs_relabel_cgroup_files(container_runtime_domain)
|
|
allow container_runtime_domain container_domain:file relabelfrom;
|
|
|
|
mount_domtrans(container_runtime_domain)
|
|
|
|
seutil_read_default_contexts(container_runtime_domain)
|
|
seutil_read_config(container_runtime_domain)
|
|
|
|
sysnet_dns_name_resolve(container_runtime_domain)
|
|
sysnet_exec_ifconfig(container_runtime_domain)
|
|
|
|
optional_policy(`
|
|
cron_system_entry(container_runtime_t, container_runtime_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ssh_use_ptys(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_exec(container_runtime_domain)
|
|
rpm_read_cache(container_runtime_domain)
|
|
rpm_read_db(container_runtime_domain)
|
|
rpm_exec(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
fstools_domtrans(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
role unconfined_r;
|
|
')
|
|
iptables_run(container_runtime_domain, unconfined_r)
|
|
|
|
container_read_pid_files(iptables_t)
|
|
container_read_state(iptables_t)
|
|
container_append_file(iptables_t)
|
|
allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
|
|
allow iptables_t container_file_type:dir list_dir_perms;
|
|
')
|
|
|
|
optional_policy(`
|
|
openvswitch_stream_connect(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
attribute named_filetrans_domain;
|
|
')
|
|
container_filetrans_named_content(named_filetrans_domain)
|
|
')
|
|
|
|
#
|
|
# lxc rules
|
|
#
|
|
|
|
allow container_runtime_domain self:capability ~{ sys_module };
|
|
allow container_runtime_domain self:capability2 ~{ mac_override mac_admin };
|
|
allow container_runtime_domain self:cap_userns ~{ sys_module };
|
|
allow container_runtime_domain self:cap2_userns ~{ mac_override mac_admin };
|
|
|
|
allow container_runtime_domain self:process { getcap setcap setexec setpgid setsched signal_perms };
|
|
|
|
allow container_runtime_domain self:netlink_route_socket rw_netlink_socket_perms;;
|
|
allow container_runtime_domain self:netlink_xfrm_socket create_netlink_socket_perms;
|
|
allow container_runtime_domain self:netlink_audit_socket create_netlink_socket_perms;
|
|
allow container_runtime_domain self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow container_runtime_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
allow container_runtime_domain container_var_lib_t:dir mounton;
|
|
allow container_runtime_domain container_var_lib_t:chr_file mounton;
|
|
can_exec(container_runtime_domain, container_var_lib_t)
|
|
|
|
kernel_dontaudit_setsched(container_runtime_domain)
|
|
kernel_get_sysvipc_info(container_runtime_domain)
|
|
kernel_request_load_module(container_runtime_domain)
|
|
kernel_mounton_messages(container_runtime_domain)
|
|
kernel_mounton_all_proc(container_runtime_domain)
|
|
kernel_mounton_all_sysctls(container_runtime_domain)
|
|
kernel_list_all_proc(container_runtime_domain)
|
|
kernel_read_all_sysctls(container_runtime_domain)
|
|
kernel_rw_net_sysctls(container_runtime_domain)
|
|
kernel_rw_unix_sysctls(container_runtime_domain)
|
|
kernel_dontaudit_search_kernel_sysctl(container_runtime_domain)
|
|
kernel_dontaudit_access_check_proc(container_runtime_domain)
|
|
kernel_dontaudit_setattr_proc_files(container_runtime_domain)
|
|
kernel_dontaudit_setattr_proc_dirs(container_runtime_domain)
|
|
kernel_dontaudit_write_usermodehelper_state(container_runtime_domain)
|
|
|
|
dev_setattr_null_dev(container_runtime_t)
|
|
dev_getattr_all(container_runtime_domain)
|
|
dev_getattr_sysfs_fs(container_runtime_domain)
|
|
dev_read_rand(container_runtime_domain)
|
|
dev_read_urand(container_runtime_domain)
|
|
dev_read_lvm_control(container_runtime_domain)
|
|
dev_rw_sysfs(container_runtime_domain)
|
|
dev_rw_loop_control(container_runtime_domain)
|
|
dev_rw_lvm_control(container_runtime_domain)
|
|
dev_read_mtrr(container_runtime_domain)
|
|
|
|
userdom_map_user_home_files(container_runtime_t)
|
|
|
|
files_getattr_isid_type_dirs(container_runtime_domain)
|
|
files_manage_isid_type_dirs(container_runtime_domain)
|
|
files_manage_isid_type_files(container_runtime_domain)
|
|
files_manage_isid_type_symlinks(container_runtime_domain)
|
|
files_manage_isid_type_chr_files(container_runtime_domain)
|
|
files_manage_isid_type_blk_files(container_runtime_domain)
|
|
files_manage_etc_dirs(container_runtime_domain)
|
|
files_manage_etc_files(container_runtime_domain)
|
|
files_exec_isid_files(container_runtime_domain)
|
|
files_mounton_isid(container_runtime_domain)
|
|
files_mounton_non_security(container_runtime_domain)
|
|
files_mounton_isid_type_chr_file(container_runtime_domain)
|
|
|
|
files_mounton_isid(container_runtime_domain)
|
|
fs_getattr_all_fs(container_runtime_domain)
|
|
fs_list_hugetlbfs(container_runtime_domain)
|
|
fs_manage_cgroup_dirs(container_runtime_domain)
|
|
fs_manage_cgroup_files(container_runtime_domain)
|
|
fs_manage_hugetlbfs_files(container_runtime_domain)
|
|
fs_mount_all_fs(container_runtime_domain)
|
|
fs_read_tmpfs_symlinks(container_runtime_domain)
|
|
fs_read_tmpfs_symlinks(container_runtime_domain)
|
|
fs_relabelfrom_tmpfs(container_runtime_domain)
|
|
fs_relabelfrom_xattr_fs(container_runtime_domain)
|
|
fs_remount_all_fs(container_runtime_domain)
|
|
fs_rw_inherited_tmpfs_files(container_runtime_domain)
|
|
fs_rw_nsfs_files(container_runtime_domain)
|
|
fs_search_tmpfs(container_runtime_domain)
|
|
fs_set_xattr_fs_quotas(container_runtime_domain)
|
|
fs_unmount_all_fs(container_runtime_domain)
|
|
|
|
|
|
term_use_generic_ptys(container_runtime_domain)
|
|
term_use_ptmx(container_runtime_domain)
|
|
term_getattr_pty_fs(container_runtime_domain)
|
|
term_relabel_pty_fs(container_runtime_domain)
|
|
term_mounton_unallocated_ttys(container_runtime_domain)
|
|
|
|
modutils_domtrans_kmod(container_runtime_domain)
|
|
|
|
systemd_status_all_unit_files(container_runtime_domain)
|
|
systemd_start_systemd_services(container_runtime_domain)
|
|
systemd_dbus_chat_logind(container_runtime_domain)
|
|
systemd_chat_resolved(container_runtime_domain)
|
|
|
|
userdom_stream_connect(container_runtime_domain)
|
|
userdom_search_user_home_content(container_runtime_domain)
|
|
userdom_read_all_users_state(container_runtime_domain)
|
|
userdom_relabel_user_home_files(container_runtime_domain)
|
|
userdom_relabel_user_tmp_files(container_runtime_domain)
|
|
userdom_relabel_user_tmp_dirs(container_runtime_domain)
|
|
userdom_use_inherited_user_terminals(container_runtime_domain)
|
|
userdom_use_user_ptys(container_runtime_domain)
|
|
userdom_connectto_stream(container_runtime_domain)
|
|
allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };
|
|
|
|
tunable_policy(`virt_use_nfs',`
|
|
fs_manage_nfs_dirs(container_runtime_domain)
|
|
fs_manage_nfs_files(container_runtime_domain)
|
|
fs_manage_nfs_named_sockets(container_runtime_domain)
|
|
fs_manage_nfs_symlinks(container_runtime_domain)
|
|
fs_remount_nfs(container_runtime_domain)
|
|
fs_mount_nfs(container_runtime_domain)
|
|
fs_exec_nfs_files(container_runtime_domain)
|
|
kernel_rw_fs_sysctls(container_runtime_domain)
|
|
allow container_runtime_domain nfs_t:file execmod;
|
|
')
|
|
|
|
tunable_policy(`virt_use_samba',`
|
|
fs_manage_cifs_files(container_runtime_domain)
|
|
fs_manage_cifs_dirs(container_runtime_domain)
|
|
fs_manage_cifs_named_sockets(container_runtime_domain)
|
|
fs_manage_cifs_symlinks(container_runtime_domain)
|
|
fs_exec_cifs_files(container_runtime_domain)
|
|
allow container_runtime_domain cifs_t:file execmod;
|
|
|
|
fs_manage_cifs_files(container_domain)
|
|
fs_manage_cifs_dirs(container_domain)
|
|
fs_manage_cifs_named_sockets(container_domain)
|
|
fs_manage_cifs_symlinks(container_domain)
|
|
fs_exec_cifs_files(container_domain)
|
|
allow container_domain cifs_t:file execmod;
|
|
')
|
|
|
|
tunable_policy(`virt_use_nfs',`
|
|
fs_manage_nfs_dirs(container_domain)
|
|
fs_manage_nfs_files(container_domain)
|
|
fs_manage_nfs_named_sockets(container_domain)
|
|
fs_manage_nfs_symlinks(container_domain)
|
|
fs_mount_nfs(container_domain)
|
|
fs_unmount_nfs(container_domain)
|
|
fs_exec_nfs_files(container_domain)
|
|
allow container_domain nfs_t:file execmod;
|
|
')
|
|
|
|
gen_require(`
|
|
type cephfs_t;
|
|
')
|
|
|
|
tunable_policy(`container_use_cephfs',`
|
|
manage_files_pattern(container_domain, cephfs_t, cephfs_t)
|
|
manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t)
|
|
manage_dirs_pattern(container_domain, cephfs_t, cephfs_t)
|
|
exec_files_pattern(container_domain, cephfs_t, cephfs_t)
|
|
allow container_domain cephfs_t:file execmod;
|
|
')
|
|
|
|
tunable_policy(`container_read_certs',`
|
|
miscfiles_read_all_certs(container_domain)
|
|
')
|
|
|
|
gen_require(`
|
|
type ecryptfs_t;
|
|
')
|
|
|
|
tunable_policy(`container_use_ecryptfs',`
|
|
manage_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
|
|
manage_lnk_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
|
|
manage_dirs_pattern(container_domain, ecryptfs_t, ecryptfs_t)
|
|
exec_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
|
|
allow container_domain ecryptfs_t:file execmod;
|
|
')
|
|
|
|
fs_manage_fusefs_named_sockets(container_runtime_domain)
|
|
fs_manage_fusefs_dirs(container_runtime_domain)
|
|
fs_manage_fusefs_files(container_runtime_domain)
|
|
fs_manage_fusefs_symlinks(container_runtime_domain)
|
|
fs_mount_fusefs(container_runtime_domain)
|
|
fs_exec_fusefs_files(container_runtime_domain)
|
|
storage_rw_fuse(container_runtime_domain)
|
|
|
|
files_search_all(container_domain)
|
|
container_read_share_files(container_domain)
|
|
container_exec_share_files(container_domain)
|
|
allow container_domain container_ro_file_t:file execmod;
|
|
container_lib_filetrans(container_domain,container_file_t, sock_file)
|
|
container_use_ptys(container_domain)
|
|
container_spc_stream_connect(container_domain)
|
|
|
|
optional_policy(`
|
|
apache_exec_modules(container_runtime_domain)
|
|
apache_read_sys_content(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
gpm_getattr_gpmctl(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(container_runtime_domain)
|
|
dbus_session_bus_client(container_runtime_domain)
|
|
init_dbus_chat(container_runtime_domain)
|
|
init_start_transient_unit(container_runtime_domain)
|
|
|
|
optional_policy(`
|
|
systemd_dbus_chat_logind(container_runtime_domain)
|
|
systemd_dbus_chat_machined(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
dnsmasq_dbus_chat(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
firewalld_dbus_chat(container_runtime_domain)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_domtrans(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type systemd_logind_t;
|
|
')
|
|
|
|
domtrans_pattern(systemd_logind_t, container_runtime_exec_t , container_runtime_t)
|
|
container_manage_dirs(systemd_logind_t)
|
|
container_manage_files(systemd_logind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(container_runtime_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
role unconfined_r;
|
|
')
|
|
role unconfined_r types container_user_domain;
|
|
role unconfined_r types spc_t;
|
|
unconfined_domain(container_runtime_t)
|
|
unconfined_run_to(container_runtime_t, container_runtime_exec_t)
|
|
allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map };
|
|
allow container_runtime_domain unconfined_t:fifo_file setattr;
|
|
allow unconfined_domain_type container_domain:process {transition dyntransition};
|
|
allow unconfined_t unlabeled_t:key manage_key_perms;
|
|
allow container_runtime_t unconfined_t:process transition;
|
|
allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
|
|
fs_fusefs_entrypoint(unconfined_domain_type)
|
|
|
|
domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type virtd_lxc_t;
|
|
')
|
|
virt_read_config(container_runtime_domain)
|
|
virt_exec(container_runtime_domain)
|
|
virt_stream_connect(container_runtime_domain)
|
|
virt_stream_connect_sandbox(container_runtime_domain)
|
|
virt_exec_sandbox_files(container_runtime_domain)
|
|
virt_manage_sandbox_files(container_runtime_domain)
|
|
virt_relabel_sandbox_filesystem(container_runtime_domain)
|
|
# for lxc
|
|
virt_mounton_sandbox_file(container_runtime_domain)
|
|
# virt_attach_sandbox_tun_iface(container_runtime_domain)
|
|
allow container_runtime_domain container_domain:tun_socket relabelfrom;
|
|
virt_sandbox_entrypoint(container_runtime_domain)
|
|
allow container_runtime_domain virtd_lxc_t:unix_stream_socket { rw_stream_socket_perms connectto };
|
|
|
|
')
|
|
|
|
tunable_policy(`container_connect_any',`
|
|
corenet_tcp_connect_all_ports(container_runtime_domain)
|
|
corenet_sendrecv_all_packets(container_runtime_domain)
|
|
corenet_tcp_sendrecv_all_ports(container_runtime_domain)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# spc local policy
|
|
#
|
|
allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
|
|
role system_r types spc_t;
|
|
|
|
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
|
|
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
|
|
domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
|
|
fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
|
|
|
|
allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
|
|
allow spc_t container_file_type:file execmod;
|
|
|
|
admin_pattern(spc_t, kubernetes_file_t)
|
|
|
|
allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
|
|
allow spc_t { container_ro_file_t container_file_t }:system module_load;
|
|
|
|
allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms };
|
|
ps_process_pattern(container_runtime_domain, spc_t)
|
|
allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
|
|
allow spc_t unlabeled_t:key manage_key_perms;
|
|
allow spc_t unlabeled_t:socket_class_set create_socket_perms;
|
|
fs_fusefs_entrypoint(spc_t)
|
|
corecmd_entrypoint_all_executables(spc_t)
|
|
|
|
init_dbus_chat(spc_t)
|
|
|
|
optional_policy(`
|
|
systemd_dbus_chat_machined(spc_t)
|
|
systemd_dbus_chat_logind(spc_t)
|
|
systemd_dbus_chat_timedated(spc_t)
|
|
systemd_dbus_chat_localed(spc_t)
|
|
')
|
|
|
|
domain_transition_all(spc_t)
|
|
|
|
anaconda_domtrans_install(spc_t)
|
|
|
|
optional_policy(`
|
|
dbus_chat_system_bus(spc_t)
|
|
dbus_chat_session_bus(spc_t)
|
|
dnsmasq_dbus_chat(spc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain_noaudit(spc_t)
|
|
domain_ptrace_all_domains(spc_t)
|
|
# This should eventually be in upstream policy.
|
|
# https://github.com/fedora-selinux/selinux-policy/pull/806
|
|
allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
|
|
allow daemon spc_t:dbus send_msg;
|
|
')
|
|
|
|
optional_policy(`
|
|
virt_transition_svirt_sandbox(spc_t, system_r)
|
|
virt_sandbox_entrypoint(spc_t)
|
|
virt_sandbox_domtrans(container_runtime_domain, spc_t)
|
|
virt_transition_svirt(spc_t, system_r)
|
|
virt_sandbox_entrypoint(container_file_t)
|
|
virt_sandbox_entrypoint(container_ro_file_t)
|
|
|
|
gen_require(`
|
|
attribute virt_domain;
|
|
type virtd_t;
|
|
role unconfined_r;
|
|
')
|
|
role unconfined_r types virt_domain;
|
|
role unconfined_r types virtd_t;
|
|
container_spc_read_state(virt_domain)
|
|
container_spc_rw_pipes(virt_domain)
|
|
allow container_runtime_t virtd_t:process transition;
|
|
allow container_runtime_t virt_domain:process transition;
|
|
allow virt_domain container_file_t:file entrypoint;
|
|
allow virtd_t container_file_t:file entrypoint;
|
|
manage_files_pattern(virt_domain, container_file_t, container_file_t)
|
|
manage_dirs_pattern(virt_domain, container_file_t, container_file_t)
|
|
manage_lnk_files_pattern(virt_domain, container_file_t, container_file_t)
|
|
read_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t)
|
|
read_lnk_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t)
|
|
|
|
can_exec(virt_domain, container_file_t)
|
|
|
|
manage_files_pattern(virtd_t, container_file_t, container_file_t)
|
|
manage_dirs_pattern(virtd_t, container_file_t, container_file_t)
|
|
manage_lnk_files_pattern(virtd_t, container_file_t, container_file_t)
|
|
read_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t)
|
|
read_lnk_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t)
|
|
|
|
can_exec(virtd_t, container_file_t)
|
|
|
|
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# container_auth local policy
|
|
#
|
|
allow container_auth_t self:fifo_file rw_fifo_file_perms;
|
|
allow container_auth_t self:unix_stream_socket create_stream_socket_perms;
|
|
dontaudit container_auth_t self:capability net_admin;
|
|
|
|
container_stream_connect(container_auth_t)
|
|
|
|
manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
|
|
manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
|
|
manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
|
|
manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
|
|
files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file })
|
|
|
|
stream_connect_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t)
|
|
list_dirs_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t)
|
|
|
|
domain_use_interactive_fds(container_auth_t)
|
|
|
|
kernel_read_net_sysctls(container_auth_t)
|
|
|
|
auth_use_nsswitch(container_auth_t)
|
|
|
|
files_read_etc_files(container_auth_t)
|
|
|
|
miscfiles_read_localization(container_auth_t)
|
|
|
|
sysnet_dns_name_resolve(container_auth_t)
|
|
|
|
########################################
|
|
#
|
|
# container_t local policy
|
|
#
|
|
# Currently this is called in virt.te
|
|
# virt_sandbox_domain_template(container)
|
|
# typealias container_t alias svirt_lxc_net_t;
|
|
gen_require(`
|
|
type container_t;
|
|
type container_file_t;
|
|
')
|
|
container_manage_files_template(container, container)
|
|
|
|
typeattribute container_file_t container_file_type, user_home_type;
|
|
typeattribute container_t container_domain, container_net_domain, container_user_domain;
|
|
allow container_user_domain self:process getattr;
|
|
allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
|
|
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
|
|
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
|
|
allow container_domain container_runtime_t:unix_dgram_socket sendto;
|
|
|
|
allow container_domain container_runtime_domain:tun_socket relabelfrom;
|
|
allow container_domain container_runtime_domain:fd use;
|
|
allow container_runtime_domain container_domain:fd use;
|
|
allow container_domain self:socket_class_set { create_socket_perms map accept };
|
|
allow container_domain self:lnk_file setattr;
|
|
allow container_domain self:user_namespace create;
|
|
|
|
dontaudit container_domain self:capability fsetid;
|
|
allow container_domain self:association sendto;
|
|
allow container_domain self:dir list_dir_perms;
|
|
dontaudit container_domain self:dir { write add_name };
|
|
allow container_domain self:file rw_file_perms;
|
|
allow container_domain self:lnk_file read_file_perms;
|
|
allow container_domain self:fifo_file create_fifo_file_perms;
|
|
allow container_domain self:fifo_file watch;
|
|
allow container_domain self:filesystem associate;
|
|
allow container_domain self:key manage_key_perms;
|
|
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
|
|
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow container_domain self:netlink_xfrm_socket create_socket_perms;
|
|
allow container_domain self:packet_socket create_socket_perms;
|
|
allow container_domain self:passwd rootok;
|
|
allow container_domain self:peer recv;
|
|
allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
|
|
allow container_domain self:sem create_sem_perms;
|
|
allow container_domain self:shm create_shm_perms;
|
|
allow container_domain self:socket create_socket_perms;
|
|
allow container_domain self:tcp_socket create_socket_perms;
|
|
allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue };
|
|
allow container_domain self:udp_socket create_socket_perms;
|
|
allow container_domain self:unix_dgram_socket create_socket_perms;
|
|
allow container_domain self:unix_stream_socket create_stream_socket_perms;
|
|
dontaudit container_domain self:capability2 block_suspend ;
|
|
allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
|
|
fs_fusefs_entrypoint(spc_t)
|
|
|
|
container_read_share_files(container_domain)
|
|
container_exec_share_files(container_domain)
|
|
container_use_ptys(container_domain)
|
|
container_spc_stream_connect(container_domain)
|
|
|
|
dev_dontaudit_mounton_sysfs(container_domain)
|
|
dev_dontaudit_mounton_sysfs(container_domain)
|
|
dev_dontaudit_mounton_sysfs(container_domain)
|
|
dev_getattr_mtrr_dev(container_domain)
|
|
dev_list_sysfs(container_domain)
|
|
dev_mounton_sysfs(container_t)
|
|
dev_read_mtrr(container_domain)
|
|
dev_read_rand(container_domain)
|
|
dev_read_sysfs(container_domain)
|
|
dev_read_urand(container_domain)
|
|
dev_rw_inherited_dri(container_domain)
|
|
dev_rw_kvm(container_domain)
|
|
dev_rwx_zero(container_domain)
|
|
dev_write_rand(container_domain)
|
|
dev_write_urand(container_domain)
|
|
allow container_domain sysfs_t:dir watch;
|
|
|
|
dontaudit container_domain container_runtime_tmpfs_t:dir read;
|
|
allow container_domain container_runtime_tmpfs_t:dir mounton;
|
|
can_exec(container_domain, container_runtime_tmpfs_t)
|
|
|
|
allow container_domain self:key manage_key_perms;
|
|
dontaudit container_domain container_domain:key search;
|
|
|
|
allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
|
|
allow container_domain self:fifo_file manage_file_perms;
|
|
allow container_domain self:msg all_msg_perms;
|
|
allow container_domain self:sem create_sem_perms;
|
|
allow container_domain self:shm create_shm_perms;
|
|
allow container_domain self:msgq create_msgq_perms;
|
|
allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
allow container_domain self:passwd rootok;
|
|
allow container_domain self:filesystem associate;
|
|
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
|
|
|
|
kernel_getattr_proc(container_domain)
|
|
kernel_list_all_proc(container_domain)
|
|
kernel_read_all_sysctls(container_domain)
|
|
kernel_dontaudit_write_kernel_sysctl(container_domain)
|
|
kernel_read_network_state(container_domain)
|
|
kernel_rw_net_sysctls(container_domain)
|
|
kernel_rw_unix_sysctls(container_domain)
|
|
kernel_dontaudit_search_kernel_sysctl(container_domain)
|
|
kernel_dontaudit_access_check_proc(container_domain)
|
|
kernel_dontaudit_setattr_proc_files(container_domain)
|
|
kernel_dontaudit_setattr_proc_dirs(container_domain)
|
|
kernel_dontaudit_write_usermodehelper_state(container_domain)
|
|
kernel_read_irq_sysctls(container_domain)
|
|
kernel_get_sysvipc_info(container_domain)
|
|
|
|
fs_dontaudit_getattr_all_dirs(container_domain)
|
|
fs_dontaudit_getattr_all_files(container_domain)
|
|
fs_dontaudit_remount_tmpfs(container_domain)
|
|
fs_dontaudit_remount_tmpfs(container_domain)
|
|
fs_exec_fusefs_files(container_domain)
|
|
fs_exec_hugetlbfs_files(container_domain)
|
|
fs_fusefs_entrypoint(container_domain)
|
|
fs_getattr_all_fs(container_domain)
|
|
fs_list_cgroup_dirs(container_domain)
|
|
fs_list_hugetlbfs(container_domain)
|
|
fs_manage_bpf_files(container_domain)
|
|
fs_manage_fusefs_dirs(container_domain)
|
|
fs_manage_fusefs_files(container_domain)
|
|
fs_manage_fusefs_named_pipes(container_domain)
|
|
fs_manage_fusefs_named_sockets(container_domain)
|
|
fs_manage_fusefs_symlinks(container_domain)
|
|
fs_manage_hugetlbfs_files(container_domain)
|
|
fs_mount_fusefs(container_domain)
|
|
fs_unmount_fusefs(container_domain)
|
|
fs_mount_tmpfs(container_domain)
|
|
fs_unmount_tmpfs(container_domain)
|
|
fs_mount_xattr_fs(container_domain)
|
|
fs_unmount_xattr_fs(container_domain)
|
|
fs_mounton_cgroup(container_domain)
|
|
fs_mounton_fusefs(container_domain)
|
|
fs_read_cgroup_files(container_domain)
|
|
fs_read_nsfs_files(container_domain)
|
|
fs_read_tmpfs_symlinks(container_domain)
|
|
fs_remount_xattr_fs(container_domain)
|
|
fs_rw_inherited_tmpfs_files(container_domain)
|
|
fs_rw_onload_sockets(container_domain)
|
|
fs_search_tmpfs(container_domain)
|
|
fs_unmount_cgroup(container_domain)
|
|
fs_unmount_fusefs(container_domain)
|
|
fs_unmount_nsfs(container_domain)
|
|
fs_unmount_xattr_fs(container_domain)
|
|
|
|
term_use_all_inherited_terms(container_domain)
|
|
|
|
userdom_use_user_ptys(container_domain)
|
|
userdom_rw_inherited_user_pipes(container_domain)
|
|
|
|
domain_user_exemption_target(container_t)
|
|
domain_dontaudit_link_all_domains_keyrings(container_domain)
|
|
domain_dontaudit_search_all_domains_keyrings(container_domain)
|
|
domain_dontaudit_search_all_domains_state(container_domain)
|
|
|
|
virt_sandbox_net_domain(container_t)
|
|
|
|
logging_send_syslog_msg(container_t)
|
|
|
|
gen_require(`
|
|
type container_file_t;
|
|
')
|
|
# fs_associate_cgroupfs(container_file_t)
|
|
gen_require(`
|
|
type cgroup_t;
|
|
')
|
|
|
|
files_read_kernel_modules(container_domain)
|
|
|
|
allow container_file_t cgroup_t:filesystem associate;
|
|
term_pty(container_file_t)
|
|
logging_log_file(container_file_t)
|
|
tunable_policy(`virt_sandbox_use_sys_admin',`
|
|
allow container_t self:capability sys_admin;
|
|
allow container_t self:cap_userns sys_admin;
|
|
')
|
|
|
|
allow container_domain self:cap_userns sys_admin;
|
|
allow container_domain self:process { getsession execstack execmem };
|
|
|
|
corenet_unconfined(container_t)
|
|
|
|
optional_policy(`
|
|
virt_default_capabilities(container_t)
|
|
')
|
|
kernel_rw_rpc_sysctls(container_domain)
|
|
kernel_rw_net_sysctls(container_domain)
|
|
kernel_read_messages(container_t)
|
|
kernel_read_network_state(container_domain)
|
|
kernel_dontaudit_write_proc_files(container_domain)
|
|
|
|
# Container Net Domain
|
|
corenet_tcp_bind_generic_node(container_net_domain)
|
|
corenet_udp_bind_generic_node(container_net_domain)
|
|
corenet_raw_bind_generic_node(container_net_domain)
|
|
corenet_tcp_sendrecv_all_ports(container_net_domain)
|
|
corenet_udp_sendrecv_all_ports(container_net_domain)
|
|
corenet_udp_bind_all_ports(container_net_domain)
|
|
corenet_tcp_bind_all_ports(container_net_domain)
|
|
corenet_tcp_connect_all_ports(container_net_domain)
|
|
|
|
allow container_net_domain self:udp_socket create_socket_perms;
|
|
allow container_net_domain self:tcp_socket create_stream_socket_perms;
|
|
allow container_net_domain self:tun_socket create_socket_perms;
|
|
allow container_net_domain self:netlink_route_socket create_netlink_socket_perms;
|
|
allow container_net_domain self:sctp_socket listen;
|
|
allow container_net_domain self:packet_socket create_socket_perms;
|
|
allow container_net_domain self:socket create_socket_perms;
|
|
allow container_net_domain self:rawip_socket create_stream_socket_perms;
|
|
allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;
|
|
|
|
allow container_domain spc_t:unix_stream_socket { read write };
|
|
kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
|
|
kernel_unlabeled_entry_type(spc_t)
|
|
allow container_runtime_domain unlabeled_t:key manage_key_perms;
|
|
#kernel_dontaudit_write_usermodehelper_state(container_t)
|
|
gen_require(`
|
|
type usermodehelper_t;
|
|
')
|
|
dontaudit container_domain usermodehelper_t:file write;
|
|
|
|
sysnet_read_config(container_domain)
|
|
|
|
allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
|
|
|
|
optional_policy(`
|
|
gssproxy_stream_connect(container_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_read_cache(container_domain)
|
|
rpm_read_db(container_domain)
|
|
rpm_transition_script(spc_t, system_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
sssd_stream_connect(container_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
systemd_dbus_chat_logind(container_domain)
|
|
')
|
|
|
|
tunable_policy(`container_manage_cgroup',`
|
|
fs_manage_cgroup_dirs(container_domain)
|
|
fs_manage_cgroup_files(container_domain)
|
|
')
|
|
|
|
storage_rw_fuse(container_domain)
|
|
allow container_domain fusefs_t:file { mounton execmod };
|
|
allow container_domain fusefs_t:filesystem remount;
|
|
|
|
tunable_policy(`virt_sandbox_use_netlink',`
|
|
allow container_domain self:netlink_socket create_socket_perms;
|
|
allow container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
|
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
', `
|
|
logging_dontaudit_send_audit_msgs(container_domain)
|
|
')
|
|
|
|
tunable_policy(`virt_sandbox_use_audit',`
|
|
logging_send_audit_msgs(container_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type sysctl_kernel_ns_last_pid_t;
|
|
')
|
|
|
|
kernel_search_network_sysctl(container_domain)
|
|
allow container_domain sysctl_kernel_ns_last_pid_t:file rw_file_perms;
|
|
allow container_domain sysctl_kernel_ns_last_pid_t:dir list_dir_perms;
|
|
')
|
|
|
|
tunable_policy(`virt_sandbox_use_all_caps',`
|
|
allow container_domain self:capability ~{ sys_module };
|
|
allow container_domain self:capability2 ~{ mac_override mac_admin };
|
|
allow container_domain self:cap_userns ~{ sys_module };
|
|
allow container_domain self:cap2_userns ~{ mac_override mac_admin };
|
|
')
|
|
|
|
tunable_policy(`virt_sandbox_use_mknod',`
|
|
allow container_domain self:capability mknod;
|
|
allow container_domain self:cap_userns mknod;
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
role unconfined_r;
|
|
type unconfined_service_t;
|
|
type unconfined_service_exec_t;
|
|
')
|
|
|
|
virt_transition_svirt_sandbox(unconfined_service_t, system_r)
|
|
container_filetrans_named_content(unconfined_service_t)
|
|
container_runtime_domtrans(unconfined_service_t)
|
|
role_transition unconfined_r unconfined_service_exec_t system_r;
|
|
allow container_runtime_domain unconfined_service_t:fifo_file setattr;
|
|
allow unconfined_service_t container_domain:process dyntransition;
|
|
allow unconfined_service_t unlabeled_t:key manage_key_perms;
|
|
')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
attribute unconfined_domain_type;
|
|
')
|
|
|
|
container_filetrans_named_content(unconfined_domain_type)
|
|
allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition };
|
|
allow unconfined_domain_type unlabeled_t:key manage_key_perms;
|
|
')
|
|
|
|
#
|
|
# container_userns_t policy
|
|
#
|
|
container_domain_template(container_userns, container)
|
|
|
|
typeattribute container_userns_t sandbox_net_domain, container_user_domain;
|
|
dev_mount_sysfs_fs(container_userns_t)
|
|
dev_mounton_sysfs(container_userns_t)
|
|
|
|
fs_mount_tmpfs(container_userns_t)
|
|
fs_unmount_tmpfs(container_userns_t)
|
|
fs_relabelfrom_tmpfs(container_userns_t)
|
|
fs_remount_cgroup(container_userns_t)
|
|
|
|
kernel_mount_proc(container_userns_t)
|
|
kernel_mounton_proc(container_userns_t)
|
|
|
|
term_use_generic_ptys(container_userns_t)
|
|
term_setattr_generic_ptys(container_userns_t)
|
|
term_mount_pty_fs(container_userns_t)
|
|
|
|
allow container_userns_t self:capability ~{ sys_module };
|
|
allow container_userns_t self:capability2 ~{ mac_override mac_admin };
|
|
allow container_userns_t self:cap_userns ~{ sys_module };
|
|
allow container_userns_t self:cap2_userns ~{ mac_override mac_admin };
|
|
allow container_userns_t self:capability mknod;
|
|
allow container_userns_t self:cap_userns mknod;
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type proc_t, proc_kcore_t;
|
|
type sysctl_t, sysctl_irq_t;
|
|
')
|
|
|
|
allow container_userns_t proc_t:filesystem { remount };
|
|
allow container_userns_t proc_kcore_t:file mounton;
|
|
allow container_userns_t sysctl_irq_t:dir mounton;
|
|
allow container_userns_t sysctl_t:dir mounton;
|
|
allow container_userns_t sysctl_t:file mounton;
|
|
')
|
|
|
|
|
|
tunable_policy(`virt_sandbox_use_sys_admin',`
|
|
allow container_userns_t self:capability sys_admin;
|
|
allow container_userns_t self:cap_userns sys_admin;
|
|
')
|
|
|
|
# Container Logreader
|
|
container_domain_template(container_logreader, container)
|
|
typeattribute container_logreader_t container_net_domain;
|
|
logging_read_all_logs(container_logreader_t)
|
|
# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges
|
|
allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
|
|
logging_read_audit_log(container_logreader_t)
|
|
logging_list_logs(container_logreader_t)
|
|
|
|
# Container Logwriter
|
|
container_domain_template(container_logwriter, container)
|
|
typeattribute container_logwriter_t container_net_domain;
|
|
logging_read_all_logs(container_logwriter_t)
|
|
manage_files_pattern(container_logwriter_t, logfile, logfile)
|
|
manage_dirs_pattern(container_logwriter_t, logfile, logfile)
|
|
manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
|
|
logging_manage_audit_log(container_logwriter_t)
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type sysadm_t, staff_t, user_t;
|
|
role sysadm_r, staff_r, user_r;
|
|
attribute userdomain;
|
|
')
|
|
|
|
allow userdomain container_domain:process transition;
|
|
|
|
can_exec(userdomain, container_runtime_exec_t)
|
|
container_manage_files(userdomain)
|
|
container_manage_share_dirs(userdomain)
|
|
container_manage_share_files(userdomain)
|
|
|
|
allow userdomain conmon_exec_t:file entrypoint;
|
|
container_runtime_run(sysadm_t, sysadm_r)
|
|
role sysadm_r types container_domain;
|
|
role sysadm_r types spc_t;
|
|
|
|
container_runtime_run(staff_t, staff_r)
|
|
role staff_r types container_user_domain;
|
|
|
|
allow userdomain self:cap_userns ~{ sys_module };
|
|
container_read_state(userdomain)
|
|
allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh };
|
|
container_runtime_run(user_t, user_r)
|
|
role user_r types container_user_domain;
|
|
|
|
staff_role_change_to(system_r)
|
|
|
|
allow staff_t container_runtime_t:process signal_perms;
|
|
allow staff_t container_domain:process signal_perms;
|
|
allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt };
|
|
')
|
|
|
|
gen_require(`
|
|
type init_t;
|
|
')
|
|
container_manage_lib_files(init_t)
|
|
container_manage_lib_dirs(init_t)
|
|
container_manage_share_files(init_t)
|
|
container_manage_share_dirs(init_t)
|
|
container_filetrans_named_content(init_t)
|
|
container_runtime_read_tmpfs_files(init_t)
|
|
|
|
gen_require(`
|
|
attribute device_node;
|
|
type device_t;
|
|
attribute sysctl_type;
|
|
')
|
|
dontaudit container_domain device_node:chr_file setattr;
|
|
dontaudit container_domain sysctl_type:file write;
|
|
allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt };
|
|
|
|
allow container_t proc_t:filesystem remount;
|
|
|
|
# Container kvm - Policy for running kata containers
|
|
container_domain_template(container_kvm, container)
|
|
typeattribute container_kvm_t container_net_domain, container_user_domain;
|
|
|
|
type container_kvm_var_run_t;
|
|
files_pid_file(container_kvm_var_run_t)
|
|
filetrans_pattern(container_kvm_t, container_var_run_t, container_kvm_var_run_t, {file sock_file dir})
|
|
filetrans_pattern(container_runtime_t, container_var_run_t, container_kvm_var_run_t, dir, "kata-containers")
|
|
|
|
manage_dirs_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
|
|
manage_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
|
|
manage_fifo_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
|
|
manage_sock_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
|
|
manage_lnk_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
|
|
files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file })
|
|
files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file })
|
|
allow container_kvm_t container_kvm_var_run_t:{file dir} mounton;
|
|
|
|
allow container_kvm_t container_runtime_t:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
container_stream_connect(container_kvm_t)
|
|
|
|
allow container_kvm_t container_runtime_t:tun_socket attach_queue;
|
|
|
|
dev_rw_inherited_vhost(container_kvm_t)
|
|
dev_rw_vfio_dev(container_kvm_t)
|
|
|
|
corenet_rw_inherited_tun_tap_dev(container_kvm_t)
|
|
corecmd_exec_shell(container_kvm_t)
|
|
corecmd_exec_bin(container_kvm_t)
|
|
corecmd_bin_entry_type(container_kvm_t)
|
|
|
|
# virtiofs causes these AVC messages.
|
|
kernel_mount_proc(container_kvm_t)
|
|
kernel_mounton_proc(container_kvm_t)
|
|
kernel_unmount_proc(container_kvm_t)
|
|
kernel_dgram_send(container_kvm_t)
|
|
files_mounton_rootfs(container_kvm_t)
|
|
|
|
auth_read_passwd(container_kvm_t)
|
|
logging_send_syslog_msg(container_kvm_t)
|
|
|
|
optional_policy(`
|
|
qemu_entry_type(container_kvm_t)
|
|
qemu_exec(container_kvm_t)
|
|
allow container_kvm_t qemu_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
|
|
')
|
|
|
|
manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)
|
|
|
|
dev_rw_kvm(container_kvm_t)
|
|
|
|
sssd_read_public_files(container_kvm_t)
|
|
|
|
# Container init - Policy for running systemd based containers
|
|
container_domain_template(container_init, container)
|
|
typeattribute container_init_t container_init_domain, container_net_domain, container_user_domain;
|
|
|
|
corenet_unconfined(container_init_t)
|
|
|
|
allow container_init_t device_t:filesystem { remount unmount };
|
|
|
|
dev_mounton_sysfs(container_init_domain)
|
|
|
|
fs_manage_cgroup_dirs(container_init_domain)
|
|
fs_manage_cgroup_files(container_init_domain)
|
|
fs_mounton_cgroup(container_init_domain)
|
|
fs_unmount_cgroup(container_init_domain)
|
|
fs_unmount_tmpfs(container_init_domain)
|
|
|
|
kernel_mounton_proc(container_init_t)
|
|
kernel_unmount_proc(container_init_t)
|
|
|
|
logging_send_syslog_msg(container_init_t)
|
|
|
|
allow container_init_domain proc_t:filesystem remount;
|
|
|
|
optional_policy(`
|
|
virt_default_capabilities(container_init_t)
|
|
')
|
|
|
|
tunable_policy(`container_use_devices',`
|
|
allow container_domain device_node:chr_file {rw_chr_file_perms map};
|
|
allow container_domain device_node:blk_file {rw_blk_file_perms map};
|
|
')
|
|
|
|
tunable_policy(`container_use_xserver_devices',`
|
|
dev_getattr_xserver_misc_dev(container_t)
|
|
dev_rw_xserver_misc(container_t)
|
|
')
|
|
|
|
tunable_policy(`container_use_dri_devices',`
|
|
dev_rw_dri(container_domain)
|
|
')
|
|
|
|
tunable_policy(`virt_sandbox_use_sys_admin',`
|
|
allow container_init_t self:capability sys_admin;
|
|
allow container_init_t self:cap_userns sys_admin;
|
|
')
|
|
|
|
allow container_init_domain self:netlink_audit_socket nlmsg_relay;
|
|
|
|
# container_engine_t is for running a container engine within a container
|
|
#
|
|
container_domain_template(container_engine, container)
|
|
typeattribute container_engine_t container_net_domain;
|
|
|
|
fs_mounton_cgroup(container_engine_t)
|
|
fs_unmount_cgroup(container_engine_t)
|
|
fs_manage_cgroup_dirs(container_engine_t)
|
|
fs_manage_cgroup_files(container_engine_t)
|
|
fs_write_cgroup_files(container_engine_t)
|
|
fs_remount_cgroup(container_engine_t)
|
|
fs_mount_all_fs(container_engine_t)
|
|
fs_remount_all_fs(container_engine_t)
|
|
fs_unmount_all_fs(container_engine_t)
|
|
kernel_mounton_all_sysctls(container_engine_t)
|
|
kernel_mount_proc(container_engine_t)
|
|
kernel_mounton_proc(container_engine_t)
|
|
kernel_mounton_core_if(container_engine_t)
|
|
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
|
|
term_mount_pty_fs(container_engine_t)
|
|
term_use_generic_ptys(container_engine_t)
|
|
|
|
allow container_engine_t container_file_t:chr_file mounton;
|
|
allow container_engine_t filesystem_type:{dir file} mounton;
|
|
allow container_engine_t proc_kcore_t:file mounton;
|
|
allow container_engine_t proc_t:filesystem remount;
|
|
allow container_engine_t sysctl_t:{dir file} mounton;
|
|
allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
|
|
allow container_engine_t fusefs_t:file relabelto;
|
|
allow container_engine_t kernel_t:system module_request;
|
|
allow container_engine_t null_device_t:chr_file mounton;
|
|
allow container_engine_t random_device_t:chr_file mounton;
|
|
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
|
|
allow container_engine_t urandom_device_t:chr_file mounton;
|
|
allow container_engine_t zero_device_t:chr_file mounton;
|
|
|
|
manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type devtty_t;
|
|
')
|
|
allow container_engine_t devtty_t:chr_file mounton;
|
|
')
|
|
|
|
type kubelet_t, container_runtime_domain;
|
|
domain_type(kubelet_t)
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
role unconfined_r;
|
|
')
|
|
role unconfined_r types kubelet_t;
|
|
unconfined_domain(kubelet_t)
|
|
')
|
|
|
|
manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
|
|
|
|
type kubelet_exec_t;
|
|
application_executable_file(kubelet_exec_t)
|
|
can_exec(container_runtime_t, kubelet_exec_t)
|
|
allow kubelet_t kubelet_exec_t:file entrypoint;
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
mls_trusted_object(kubelet_t)
|
|
|
|
init_daemon_domain(kubelet_t, kubelet_exec_t)
|
|
|
|
admin_pattern(kubelet_t, kubernetes_file_t)
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type sysadm_t;
|
|
role sysadm_r;
|
|
role unconfined_r;
|
|
')
|
|
|
|
container_kubelet_run(sysadm_t, sysadm_r)
|
|
|
|
unconfined_run_to(kubelet_t, kubelet_exec_t)
|
|
role_transition unconfined_r kubelet_exec_t system_r;
|
|
')
|
|
|
|
# Standard container which needs to be allowed to use any device
|
|
container_domain_template(container_device, container)
|
|
allow container_device_t device_node:chr_file rw_chr_file_perms;
|
|
|
|
# Standard container which needs to be allowed to use any device and
|
|
# communicate with kubelet
|
|
container_domain_template(container_device_plugin, container)
|
|
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
|
|
dev_rw_sysfs(container_device_plugin_t)
|
|
kernel_read_debugfs(container_device_plugin_t)
|
|
container_kubelet_stream_connect(container_device_plugin_t)
|
|
|
|
# Standard container which needs to be allowed to use any device and
|
|
# modify kubelet configuration
|
|
container_domain_template(container_device_plugin_init, container)
|
|
allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms;
|
|
dev_rw_sysfs(container_device_plugin_init_t)
|
|
manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
|
|
manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
|
|
manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
type syslogd_t;
|
|
')
|
|
|
|
allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
|
|
logging_send_syslog_msg(container_runtime_t)
|
|
')
|
|
|
|
|
|
manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
|
manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
|
manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
|
manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
|
manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
|
manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
|
|
|
tunable_policy(`sshd_launch_containers',`
|
|
gen_require(`
|
|
type sshd_t;
|
|
type systemd_logind_t;
|
|
type iptables_var_run_t;
|
|
')
|
|
|
|
container_runtime_domtrans(sshd_t)
|
|
dontaudit systemd_logind_t iptables_var_run_t:dir read;
|
|
')
|
|
|
|
role container_user_r;
|
|
userdom_restricted_user_template(container_user)
|
|
userdom_manage_home_role(container_user_r, container_user_t)
|
|
|
|
allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
|
|
|
|
role container_user_r types container_domain;
|
|
role container_user_r types container_user_domain;
|
|
role container_user_r types container_net_domain;
|
|
role container_user_r types container_file_type;
|
|
container_runtime_run(container_user_t, container_user_r)
|
|
unconfined_role_change_to(container_user_r)
|
|
|
|
container_use_ptys(container_user_t)
|
|
|
|
fs_manage_cgroup_dirs(container_user_t)
|
|
fs_manage_cgroup_files(container_user_t)
|
|
|
|
selinux_compute_access_vector(container_user_t)
|
|
systemd_dbus_chat_hostnamed(container_user_t)
|
|
systemd_start_systemd_services(container_user_t)
|
|
|
|
allow container_runtime_t container_user_t:process transition;
|
|
allow container_runtime_t container_user_t:process2 nnp_transition;
|
|
allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
|
|
|
|
allow container_user_t container_file_t:chr_file manage_chr_file_perms;
|
|
allow container_user_t container_file_t:file entrypoint;
|
|
|
|
allow container_domain container_file_t:file entrypoint;
|
|
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
|
|
allow container_domain container_var_lib_t:file entrypoint;
|
|
allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
|
|
|
|
corecmd_entrypoint_all_executables(container_kvm_t)
|
|
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
|
|
allow svirt_sandbox_domain mountpoint:file entrypoint;
|
|
|
|
tunable_policy(`deny_ptrace',`',`
|
|
allow container_domain self:process ptrace;
|
|
allow spc_t self:process ptrace;
|
|
')
|