forked from pool/selinux-policy
Accepting request 1178674 from security:SELinux
ATTENTION! Please accept this into factory at a similar time as the cockpit update to avoid issues with the cockpit-selinux module: https://build.opensuse.org/request/show/1178504 OBS-URL: https://build.opensuse.org/request/show/1178674 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=60
This commit is contained in:
commit
229039d5a3
@ -1,8 +1,10 @@
|
|||||||
<servicedata>
|
<servicedata>
|
||||||
<service name="tar_scm">
|
<service name="tar_scm">
|
||||||
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
||||||
<param name="changesrevision">98a8f37af8bfa88f85287f21a38c10abb925c7f3</param></service><service name="tar_scm">
|
<param name="changesrevision">7eb64de2191880e9d2207fa60c9605268d6fc8ce</param></service><service name="tar_scm">
|
||||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||||
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
|
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm">
|
||||||
<param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
|
<param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param>
|
||||||
<param name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service></servicedata>
|
<param name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service><service name="tar_scm">
|
||||||
|
<param name="url">https://gitlab.suse.de/cahu/selinux-policy.git</param>
|
||||||
|
<param name="changesrevision">dd1ff3c6a1e2c1f22ddd13039191ea458d7fcc8d</param></service></servicedata>
|
43
container.fc
43
container.fc
@ -9,14 +9,19 @@
|
|||||||
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||||
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||||
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||||
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||||
|
/usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||||
|
/usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||||
|
/usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||||
|
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
|
/usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
|
|
||||||
/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
||||||
@ -117,7 +122,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
|
|||||||
/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||||
/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||||
|
|
||||||
/var/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0)
|
/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0)
|
||||||
|
|
||||||
/var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
/var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||||
/opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
/opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||||
@ -126,6 +131,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
|
|||||||
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||||
|
|
||||||
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||||
|
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
|
||||||
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||||
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||||
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
||||||
@ -136,26 +142,25 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
|
|||||||
/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||||
|
|
||||||
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||||
/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
||||||
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||||
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||||
|
|
||||||
/var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
|
/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
|
||||||
/var/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
||||||
/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
|
/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
|
||||||
|
|
||||||
/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||||
/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||||
|
|
||||||
/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
|
/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
|
||||||
|
|
||||||
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||||
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||||
|
@ -573,7 +573,7 @@ interface(`container_filetrans_named_content',`
|
|||||||
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
|
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
|
||||||
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
|
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
|
||||||
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
|
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
|
||||||
files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
|
files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes")
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
178
container.te
178
container.te
@ -1,4 +1,4 @@
|
|||||||
policy_module(container, 2.219.0)
|
policy_module(container, 2.230.0)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -38,6 +38,13 @@ gen_tunable(sshd_launch_containers, false)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(container_use_devices, false)
|
gen_tunable(container_use_devices, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow containers to use any dri device volume mounted into container
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(container_use_dri_devices, true)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow sandbox containers to manage cgroup (systemd)
|
## Allow sandbox containers to manage cgroup (systemd)
|
||||||
@ -136,6 +143,7 @@ type container_devpts_t alias docker_devpts_t;
|
|||||||
term_pty(container_devpts_t)
|
term_pty(container_devpts_t)
|
||||||
|
|
||||||
typealias container_ro_file_t alias { container_share_t docker_share_t };
|
typealias container_ro_file_t alias { container_share_t docker_share_t };
|
||||||
|
typeattribute container_ro_file_t container_file_type, user_home_type;
|
||||||
files_mountpoint(container_ro_file_t)
|
files_mountpoint(container_ro_file_t)
|
||||||
userdom_user_home_content(container_ro_file_t)
|
userdom_user_home_content(container_ro_file_t)
|
||||||
|
|
||||||
@ -568,7 +576,6 @@ tunable_policy(`virt_use_nfs',`
|
|||||||
fs_manage_nfs_symlinks(container_runtime_domain)
|
fs_manage_nfs_symlinks(container_runtime_domain)
|
||||||
fs_remount_nfs(container_runtime_domain)
|
fs_remount_nfs(container_runtime_domain)
|
||||||
fs_mount_nfs(container_runtime_domain)
|
fs_mount_nfs(container_runtime_domain)
|
||||||
fs_unmount_nfs(container_runtime_domain)
|
|
||||||
fs_exec_nfs_files(container_runtime_domain)
|
fs_exec_nfs_files(container_runtime_domain)
|
||||||
kernel_rw_fs_sysctls(container_runtime_domain)
|
kernel_rw_fs_sysctls(container_runtime_domain)
|
||||||
allow container_runtime_domain nfs_t:file execmod;
|
allow container_runtime_domain nfs_t:file execmod;
|
||||||
@ -634,21 +641,16 @@ fs_manage_fusefs_dirs(container_runtime_domain)
|
|||||||
fs_manage_fusefs_files(container_runtime_domain)
|
fs_manage_fusefs_files(container_runtime_domain)
|
||||||
fs_manage_fusefs_symlinks(container_runtime_domain)
|
fs_manage_fusefs_symlinks(container_runtime_domain)
|
||||||
fs_mount_fusefs(container_runtime_domain)
|
fs_mount_fusefs(container_runtime_domain)
|
||||||
fs_unmount_fusefs(container_runtime_domain)
|
|
||||||
fs_exec_fusefs_files(container_runtime_domain)
|
fs_exec_fusefs_files(container_runtime_domain)
|
||||||
storage_rw_fuse(container_runtime_domain)
|
storage_rw_fuse(container_runtime_domain)
|
||||||
|
|
||||||
optional_policy(`
|
files_search_all(container_domain)
|
||||||
files_search_all(container_domain)
|
container_read_share_files(container_domain)
|
||||||
container_read_share_files(container_domain)
|
container_exec_share_files(container_domain)
|
||||||
container_exec_share_files(container_domain)
|
allow container_domain container_ro_file_t:file execmod;
|
||||||
allow container_domain container_ro_file_t:file execmod;
|
container_lib_filetrans(container_domain,container_file_t, sock_file)
|
||||||
container_lib_filetrans(container_domain,container_file_t, sock_file)
|
container_use_ptys(container_domain)
|
||||||
container_use_ptys(container_domain)
|
container_spc_stream_connect(container_domain)
|
||||||
container_spc_stream_connect(container_domain)
|
|
||||||
fs_dontaudit_remount_tmpfs(container_domain)
|
|
||||||
dev_dontaudit_mounton_sysfs(container_domain)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
apache_exec_modules(container_runtime_domain)
|
apache_exec_modules(container_runtime_domain)
|
||||||
@ -746,7 +748,7 @@ tunable_policy(`container_connect_any',`
|
|||||||
#
|
#
|
||||||
# spc local policy
|
# spc local policy
|
||||||
#
|
#
|
||||||
allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint;
|
allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
|
||||||
role system_r types spc_t;
|
role system_r types spc_t;
|
||||||
|
|
||||||
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
|
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
|
||||||
@ -755,6 +757,7 @@ domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
|
|||||||
fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
|
fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
|
||||||
|
|
||||||
allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
|
allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
|
||||||
|
allow spc_t container_file_type:file execmod;
|
||||||
|
|
||||||
admin_pattern(spc_t, kubernetes_file_t)
|
admin_pattern(spc_t, kubernetes_file_t)
|
||||||
|
|
||||||
@ -776,6 +779,10 @@ optional_policy(`
|
|||||||
systemd_dbus_chat_logind(spc_t)
|
systemd_dbus_chat_logind(spc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
domain_transition_all(spc_t)
|
||||||
|
|
||||||
|
anaconda_domtrans_install(spc_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_chat_system_bus(spc_t)
|
dbus_chat_system_bus(spc_t)
|
||||||
dbus_chat_session_bus(spc_t)
|
dbus_chat_session_bus(spc_t)
|
||||||
@ -878,7 +885,7 @@ container_manage_files_template(container, container)
|
|||||||
typeattribute container_file_t container_file_type, user_home_type;
|
typeattribute container_file_t container_file_type, user_home_type;
|
||||||
typeattribute container_t container_domain, container_net_domain, container_user_domain;
|
typeattribute container_t container_domain, container_net_domain, container_user_domain;
|
||||||
allow container_user_domain self:process getattr;
|
allow container_user_domain self:process getattr;
|
||||||
allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
|
allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
|
||||||
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
|
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
|
||||||
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
|
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
|
||||||
allow container_domain container_runtime_t:unix_dgram_socket sendto;
|
allow container_domain container_runtime_t:unix_dgram_socket sendto;
|
||||||
@ -897,6 +904,7 @@ dontaudit container_domain self:dir { write add_name };
|
|||||||
allow container_domain self:file rw_file_perms;
|
allow container_domain self:file rw_file_perms;
|
||||||
allow container_domain self:lnk_file read_file_perms;
|
allow container_domain self:lnk_file read_file_perms;
|
||||||
allow container_domain self:fifo_file create_fifo_file_perms;
|
allow container_domain self:fifo_file create_fifo_file_perms;
|
||||||
|
allow container_domain self:fifo_file watch;
|
||||||
allow container_domain self:filesystem associate;
|
allow container_domain self:filesystem associate;
|
||||||
allow container_domain self:key manage_key_perms;
|
allow container_domain self:key manage_key_perms;
|
||||||
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
|
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
|
||||||
@ -916,28 +924,33 @@ allow container_domain self:unix_dgram_socket create_socket_perms;
|
|||||||
allow container_domain self:unix_stream_socket create_stream_socket_perms;
|
allow container_domain self:unix_stream_socket create_stream_socket_perms;
|
||||||
dontaudit container_domain self:capability2 block_suspend ;
|
dontaudit container_domain self:capability2 block_suspend ;
|
||||||
allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
|
allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
|
||||||
fs_rw_onload_sockets(container_domain)
|
|
||||||
fs_fusefs_entrypoint(container_domain)
|
|
||||||
fs_fusefs_entrypoint(spc_t)
|
fs_fusefs_entrypoint(spc_t)
|
||||||
|
|
||||||
container_read_share_files(container_domain)
|
container_read_share_files(container_domain)
|
||||||
container_exec_share_files(container_domain)
|
container_exec_share_files(container_domain)
|
||||||
container_use_ptys(container_domain)
|
container_use_ptys(container_domain)
|
||||||
container_spc_stream_connect(container_domain)
|
container_spc_stream_connect(container_domain)
|
||||||
fs_dontaudit_remount_tmpfs(container_domain)
|
|
||||||
dev_dontaudit_mounton_sysfs(container_domain)
|
dev_dontaudit_mounton_sysfs(container_domain)
|
||||||
dev_dontaudit_mounton_sysfs(container_domain)
|
dev_dontaudit_mounton_sysfs(container_domain)
|
||||||
fs_mount_tmpfs(container_domain)
|
dev_dontaudit_mounton_sysfs(container_domain)
|
||||||
|
dev_getattr_mtrr_dev(container_domain)
|
||||||
|
dev_list_sysfs(container_domain)
|
||||||
|
dev_mounton_sysfs(container_t)
|
||||||
|
dev_read_mtrr(container_domain)
|
||||||
|
dev_read_rand(container_domain)
|
||||||
|
dev_read_sysfs(container_domain)
|
||||||
|
dev_read_urand(container_domain)
|
||||||
|
dev_rw_inherited_dri(container_domain)
|
||||||
|
dev_rw_kvm(container_domain)
|
||||||
|
dev_rwx_zero(container_domain)
|
||||||
|
dev_write_rand(container_domain)
|
||||||
|
dev_write_urand(container_domain)
|
||||||
|
allow container_domain sysfs_t:dir watch;
|
||||||
|
|
||||||
dontaudit container_domain container_runtime_tmpfs_t:dir read;
|
dontaudit container_domain container_runtime_tmpfs_t:dir read;
|
||||||
allow container_domain container_runtime_tmpfs_t:dir mounton;
|
allow container_domain container_runtime_tmpfs_t:dir mounton;
|
||||||
|
can_exec(container_domain, container_runtime_tmpfs_t)
|
||||||
dev_getattr_mtrr_dev(container_domain)
|
|
||||||
dev_list_sysfs(container_domain)
|
|
||||||
allow container_domain sysfs_t:dir watch;
|
|
||||||
|
|
||||||
dev_rw_kvm(container_domain)
|
|
||||||
dev_rwx_zero(container_domain)
|
|
||||||
|
|
||||||
allow container_domain self:key manage_key_perms;
|
allow container_domain self:key manage_key_perms;
|
||||||
dontaudit container_domain container_domain:key search;
|
dontaudit container_domain container_domain:key search;
|
||||||
@ -953,7 +966,7 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|||||||
allow container_domain self:passwd rootok;
|
allow container_domain self:passwd rootok;
|
||||||
allow container_domain self:filesystem associate;
|
allow container_domain self:filesystem associate;
|
||||||
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
|
allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
|
||||||
|
|
||||||
kernel_getattr_proc(container_domain)
|
kernel_getattr_proc(container_domain)
|
||||||
kernel_list_all_proc(container_domain)
|
kernel_list_all_proc(container_domain)
|
||||||
@ -970,16 +983,42 @@ kernel_dontaudit_write_usermodehelper_state(container_domain)
|
|||||||
kernel_read_irq_sysctls(container_domain)
|
kernel_read_irq_sysctls(container_domain)
|
||||||
kernel_get_sysvipc_info(container_domain)
|
kernel_get_sysvipc_info(container_domain)
|
||||||
|
|
||||||
fs_getattr_all_fs(container_domain)
|
|
||||||
fs_rw_inherited_tmpfs_files(container_domain)
|
|
||||||
fs_read_tmpfs_symlinks(container_domain)
|
|
||||||
fs_search_tmpfs(container_domain)
|
|
||||||
fs_list_hugetlbfs(container_domain)
|
|
||||||
fs_manage_hugetlbfs_files(container_domain)
|
|
||||||
fs_exec_hugetlbfs_files(container_domain)
|
|
||||||
fs_dontaudit_getattr_all_dirs(container_domain)
|
fs_dontaudit_getattr_all_dirs(container_domain)
|
||||||
fs_dontaudit_getattr_all_files(container_domain)
|
fs_dontaudit_getattr_all_files(container_domain)
|
||||||
|
fs_dontaudit_remount_tmpfs(container_domain)
|
||||||
|
fs_dontaudit_remount_tmpfs(container_domain)
|
||||||
|
fs_exec_fusefs_files(container_domain)
|
||||||
|
fs_exec_hugetlbfs_files(container_domain)
|
||||||
|
fs_fusefs_entrypoint(container_domain)
|
||||||
|
fs_getattr_all_fs(container_domain)
|
||||||
|
fs_list_cgroup_dirs(container_domain)
|
||||||
|
fs_list_hugetlbfs(container_domain)
|
||||||
|
fs_manage_bpf_files(container_domain)
|
||||||
|
fs_manage_fusefs_dirs(container_domain)
|
||||||
|
fs_manage_fusefs_files(container_domain)
|
||||||
|
fs_manage_fusefs_named_pipes(container_domain)
|
||||||
|
fs_manage_fusefs_named_sockets(container_domain)
|
||||||
|
fs_manage_fusefs_symlinks(container_domain)
|
||||||
|
fs_manage_hugetlbfs_files(container_domain)
|
||||||
|
fs_mount_fusefs(container_domain)
|
||||||
|
fs_unmount_fusefs(container_domain)
|
||||||
|
fs_mount_tmpfs(container_domain)
|
||||||
|
fs_unmount_tmpfs(container_domain)
|
||||||
|
fs_mount_xattr_fs(container_domain)
|
||||||
|
fs_unmount_xattr_fs(container_domain)
|
||||||
|
fs_mounton_cgroup(container_domain)
|
||||||
|
fs_mounton_fusefs(container_domain)
|
||||||
|
fs_read_cgroup_files(container_domain)
|
||||||
fs_read_nsfs_files(container_domain)
|
fs_read_nsfs_files(container_domain)
|
||||||
|
fs_read_tmpfs_symlinks(container_domain)
|
||||||
|
fs_remount_xattr_fs(container_domain)
|
||||||
|
fs_rw_inherited_tmpfs_files(container_domain)
|
||||||
|
fs_rw_onload_sockets(container_domain)
|
||||||
|
fs_search_tmpfs(container_domain)
|
||||||
|
fs_unmount_cgroup(container_domain)
|
||||||
|
fs_unmount_fusefs(container_domain)
|
||||||
|
fs_unmount_nsfs(container_domain)
|
||||||
|
fs_unmount_xattr_fs(container_domain)
|
||||||
|
|
||||||
term_use_all_inherited_terms(container_domain)
|
term_use_all_inherited_terms(container_domain)
|
||||||
|
|
||||||
@ -1003,18 +1042,6 @@ gen_require(`
|
|||||||
type cgroup_t;
|
type cgroup_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
dev_read_sysfs(container_domain)
|
|
||||||
dev_read_mtrr(container_domain)
|
|
||||||
dev_mounton_sysfs(container_t)
|
|
||||||
|
|
||||||
fs_mounton_cgroup(container_t)
|
|
||||||
fs_unmount_cgroup(container_t)
|
|
||||||
|
|
||||||
dev_read_rand(container_domain)
|
|
||||||
dev_write_rand(container_domain)
|
|
||||||
dev_read_urand(container_domain)
|
|
||||||
dev_write_urand(container_domain)
|
|
||||||
|
|
||||||
files_read_kernel_modules(container_domain)
|
files_read_kernel_modules(container_domain)
|
||||||
|
|
||||||
allow container_file_t cgroup_t:filesystem associate;
|
allow container_file_t cgroup_t:filesystem associate;
|
||||||
@ -1069,9 +1096,6 @@ gen_require(`
|
|||||||
')
|
')
|
||||||
dontaudit container_domain usermodehelper_t:file write;
|
dontaudit container_domain usermodehelper_t:file write;
|
||||||
|
|
||||||
fs_read_cgroup_files(container_domain)
|
|
||||||
fs_list_cgroup_dirs(container_domain)
|
|
||||||
|
|
||||||
sysnet_read_config(container_domain)
|
sysnet_read_config(container_domain)
|
||||||
|
|
||||||
allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
|
allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
|
||||||
@ -1099,20 +1123,6 @@ tunable_policy(`container_manage_cgroup',`
|
|||||||
fs_manage_cgroup_files(container_domain)
|
fs_manage_cgroup_files(container_domain)
|
||||||
')
|
')
|
||||||
|
|
||||||
fs_manage_fusefs_named_sockets(container_domain)
|
|
||||||
fs_manage_fusefs_named_pipes(container_domain)
|
|
||||||
fs_manage_fusefs_dirs(container_domain)
|
|
||||||
fs_manage_fusefs_files(container_domain)
|
|
||||||
fs_manage_fusefs_symlinks(container_domain)
|
|
||||||
fs_manage_fusefs_named_sockets(container_domain)
|
|
||||||
fs_manage_fusefs_named_pipes(container_domain)
|
|
||||||
fs_exec_fusefs_files(container_domain)
|
|
||||||
fs_mount_xattr_fs(container_domain)
|
|
||||||
fs_unmount_xattr_fs(container_domain)
|
|
||||||
fs_remount_xattr_fs(container_domain)
|
|
||||||
fs_mount_fusefs(container_domain)
|
|
||||||
fs_unmount_fusefs(container_domain)
|
|
||||||
fs_mounton_fusefs(container_domain)
|
|
||||||
storage_rw_fuse(container_domain)
|
storage_rw_fuse(container_domain)
|
||||||
allow container_domain fusefs_t:file { mounton execmod };
|
allow container_domain fusefs_t:file { mounton execmod };
|
||||||
allow container_domain fusefs_t:filesystem remount;
|
allow container_domain fusefs_t:filesystem remount;
|
||||||
@ -1187,6 +1197,7 @@ dev_mount_sysfs_fs(container_userns_t)
|
|||||||
dev_mounton_sysfs(container_userns_t)
|
dev_mounton_sysfs(container_userns_t)
|
||||||
|
|
||||||
fs_mount_tmpfs(container_userns_t)
|
fs_mount_tmpfs(container_userns_t)
|
||||||
|
fs_unmount_tmpfs(container_userns_t)
|
||||||
fs_relabelfrom_tmpfs(container_userns_t)
|
fs_relabelfrom_tmpfs(container_userns_t)
|
||||||
fs_remount_cgroup(container_userns_t)
|
fs_remount_cgroup(container_userns_t)
|
||||||
|
|
||||||
@ -1383,6 +1394,10 @@ tunable_policy(`container_use_devices',`
|
|||||||
allow container_domain device_node:blk_file {rw_blk_file_perms map};
|
allow container_domain device_node:blk_file {rw_blk_file_perms map};
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`container_use_dri_devices',`
|
||||||
|
dev_rw_dri(container_domain)
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`virt_sandbox_use_sys_admin',`
|
tunable_policy(`virt_sandbox_use_sys_admin',`
|
||||||
allow container_init_t self:capability sys_admin;
|
allow container_init_t self:capability sys_admin;
|
||||||
allow container_init_t self:cap_userns sys_admin;
|
allow container_init_t self:cap_userns sys_admin;
|
||||||
@ -1399,19 +1414,24 @@ fs_mounton_cgroup(container_engine_t)
|
|||||||
fs_unmount_cgroup(container_engine_t)
|
fs_unmount_cgroup(container_engine_t)
|
||||||
fs_manage_cgroup_dirs(container_engine_t)
|
fs_manage_cgroup_dirs(container_engine_t)
|
||||||
fs_manage_cgroup_files(container_engine_t)
|
fs_manage_cgroup_files(container_engine_t)
|
||||||
fs_mount_tmpfs(container_engine_t)
|
|
||||||
fs_write_cgroup_files(container_engine_t)
|
fs_write_cgroup_files(container_engine_t)
|
||||||
|
fs_remount_cgroup(container_engine_t)
|
||||||
allow container_engine_t proc_t:file mounton;
|
fs_mount_all_fs(container_engine_t)
|
||||||
allow container_engine_t sysctl_t:file mounton;
|
fs_remount_all_fs(container_engine_t)
|
||||||
allow container_engine_t sysfs_t:filesystem remount;
|
fs_unmount_all_fs(container_engine_t)
|
||||||
|
kernel_mounton_all_sysctls(container_engine_t)
|
||||||
kernel_mount_proc(container_engine_t)
|
kernel_mount_proc(container_engine_t)
|
||||||
kernel_mounton_core_if(container_engine_t)
|
|
||||||
kernel_mounton_proc(container_engine_t)
|
kernel_mounton_proc(container_engine_t)
|
||||||
|
kernel_mounton_core_if(container_engine_t)
|
||||||
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
|
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
|
||||||
|
|
||||||
term_mount_pty_fs(container_engine_t)
|
term_mount_pty_fs(container_engine_t)
|
||||||
|
term_use_generic_ptys(container_engine_t)
|
||||||
|
|
||||||
|
allow container_engine_t container_file_t:chr_file mounton;
|
||||||
|
allow container_engine_t filesystem_type:{dir file} mounton;
|
||||||
|
allow container_engine_t proc_kcore_t:file mounton;
|
||||||
|
allow container_engine_t proc_t:filesystem remount;
|
||||||
|
allow container_engine_t sysctl_t:{dir file} mounton;
|
||||||
|
|
||||||
type kubelet_t, container_runtime_domain;
|
type kubelet_t, container_runtime_domain;
|
||||||
domain_type(kubelet_t)
|
domain_type(kubelet_t)
|
||||||
@ -1516,6 +1536,9 @@ role container_user_r types container_user_domain;
|
|||||||
role container_user_r types container_net_domain;
|
role container_user_r types container_net_domain;
|
||||||
role container_user_r types container_file_type;
|
role container_user_r types container_file_type;
|
||||||
container_runtime_run(container_user_t, container_user_r)
|
container_runtime_run(container_user_t, container_user_r)
|
||||||
|
unconfined_role_change_to(container_user_r)
|
||||||
|
|
||||||
|
container_use_ptys(container_user_t)
|
||||||
|
|
||||||
fs_manage_cgroup_dirs(container_user_t)
|
fs_manage_cgroup_dirs(container_user_t)
|
||||||
fs_manage_cgroup_files(container_user_t)
|
fs_manage_cgroup_files(container_user_t)
|
||||||
@ -1524,6 +1547,12 @@ selinux_compute_access_vector(container_user_t)
|
|||||||
systemd_dbus_chat_hostnamed(container_user_t)
|
systemd_dbus_chat_hostnamed(container_user_t)
|
||||||
systemd_start_systemd_services(container_user_t)
|
systemd_start_systemd_services(container_user_t)
|
||||||
|
|
||||||
|
allow container_runtime_t container_user_t:process transition;
|
||||||
|
allow container_runtime_t container_user_t:process2 nnp_transition;
|
||||||
|
allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;
|
||||||
|
|
||||||
|
allow container_user_t container_file_t:chr_file manage_chr_file_perms;
|
||||||
|
allow container_user_t container_file_t:file entrypoint;
|
||||||
|
|
||||||
allow container_domain container_file_t:file entrypoint;
|
allow container_domain container_file_t:file entrypoint;
|
||||||
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
|
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
|
||||||
@ -1533,3 +1562,8 @@ allow container_domain fusefs_t:file { append create entrypoint execmod execute
|
|||||||
corecmd_entrypoint_all_executables(container_kvm_t)
|
corecmd_entrypoint_all_executables(container_kvm_t)
|
||||||
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
|
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
|
||||||
allow svirt_sandbox_domain mountpoint:file entrypoint;
|
allow svirt_sandbox_domain mountpoint:file entrypoint;
|
||||||
|
|
||||||
|
tunable_policy(`deny_ptrace',`',`
|
||||||
|
allow container_domain self:process ptrace;
|
||||||
|
allow spc_t self:process ptrace;
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/run /var/run
|
/var/run /run
|
||||||
/run/lock /var/lock
|
/var/lock /run/lock
|
||||||
/var/run/lock /var/lock
|
/var/run/lock /var/lock
|
||||||
/lib /usr/lib
|
/lib /usr/lib
|
||||||
/lib64 /usr/lib
|
/lib64 /usr/lib
|
||||||
@ -10,6 +10,8 @@
|
|||||||
/etc/systemd/system /usr/lib/systemd/system
|
/etc/systemd/system /usr/lib/systemd/system
|
||||||
/run/systemd/system /usr/lib/systemd/system
|
/run/systemd/system /usr/lib/systemd/system
|
||||||
/run/systemd/generator /usr/lib/systemd/system
|
/run/systemd/generator /usr/lib/systemd/system
|
||||||
|
/run/systemd/generator.early /usr/lib/systemd/system
|
||||||
|
/run/systemd/generator.late /usr/lib/systemd/system
|
||||||
/var/lib/xguest/home /home
|
/var/lib/xguest/home /home
|
||||||
/var/run/netconfig /etc
|
/var/run/netconfig /etc
|
||||||
/var/adm/netconfig/md5/etc /etc
|
/var/adm/netconfig/md5/etc /etc
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:ed0bad67b8e0c601abcebefc191e3c0b97b05d6090d63e83e61f9fcda36f4903
|
|
||||||
size 767332
|
|
3
selinux-policy-20240411.tar.xz
Normal file
3
selinux-policy-20240411.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:3570c8520464f6d7719a016ea1d7b65c1a276102d75fbdaf7be4e7decaa1307d
|
||||||
|
size 768484
|
@ -1,3 +1,107 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jun 3 13:42:13 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Remove "Reference" from the package description. It's not the
|
||||||
|
reference policy, but the Fedora branch of the policy
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 28 11:12:57 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
||||||
|
|
||||||
|
- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate
|
||||||
|
python36 tooling
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 8 11:06:43 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Fixed varrun-convert.sh script to not break because of duplicate
|
||||||
|
entries
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 6 07:44:20 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Move to %posttrans to ensure selinux-policy got updated before
|
||||||
|
the commands run (bsc#1221720)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Apr 15 13:23:40 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
|
||||||
|
|
||||||
|
- Add file contexts "forwarding" to file_contexts.sub_dist
|
||||||
|
to fix systemd-gpt-auto-generator and systemd-fstab-generator
|
||||||
|
(bsc#1222736):
|
||||||
|
* /run/systemd/generator.early /usr/lib/systemd/system
|
||||||
|
* /run/systemd/generator.late /usr/lib/systemd/system
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 11 15:13:31 UTC 2024 - cathy.hu@suse.com
|
||||||
|
|
||||||
|
- Update to version 20240411:
|
||||||
|
* Remove duplicate in sysnetwork.fc
|
||||||
|
* Rename /var/run/wicked* to /run/wicked*
|
||||||
|
* Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
|
||||||
|
* policy: support pidfs
|
||||||
|
* Confine selinux-autorelabel-generator.sh
|
||||||
|
* Allow logwatch_mail_t read/write to init over a unix stream socket
|
||||||
|
* Allow logwatch read logind sessions files
|
||||||
|
* files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
|
||||||
|
* files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
|
||||||
|
* Allow NetworkManager the sys_ptrace capability in user namespace
|
||||||
|
* dontaudit execmem for modemmanager
|
||||||
|
* Allow dhcpcd use unix_stream_socket
|
||||||
|
* Allow dhcpc read /run/netns files
|
||||||
|
* Update mmap_rw_file_perms to include the lock permission
|
||||||
|
* Allow plymouthd log during shutdown
|
||||||
|
* Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
|
||||||
|
* Allow journalctl_t read filesystem sysctls
|
||||||
|
* Allow cgred_t to get attributes of cgroup filesystems
|
||||||
|
* Allow wdmd read hardware state information
|
||||||
|
* Allow wdmd list the contents of the sysfs directories
|
||||||
|
* Allow linuxptp configure phc2sys and chronyd over a unix domain socket
|
||||||
|
* Allow sulogin relabel tty1
|
||||||
|
* Dontaudit sulogin the checkpoint_restore capability
|
||||||
|
* Modify sudo_role_template() to allow getpgid
|
||||||
|
* Allow userdomain get attributes of files on an nsfs filesystem
|
||||||
|
* Allow opafm create NFS files and directories
|
||||||
|
* Allow virtqemud create and unlink files in /etc/libvirt/
|
||||||
|
* Allow virtqemud domain transition on swtpm execution
|
||||||
|
* Add the swtpm.if interface file for interactions with other domains
|
||||||
|
* Allow samba to have dac_override capability
|
||||||
|
* systemd: allow sys_admin capability for systemd_notify_t
|
||||||
|
* systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
|
||||||
|
* Allow thumb_t to watch and watch_reads mount_var_run_t
|
||||||
|
* Allow krb5kdc_t map krb5kdc_principal_t files
|
||||||
|
* Allow unprivileged confined user dbus chat with setroubleshoot
|
||||||
|
* Allow login_userdomain map files in /var
|
||||||
|
* Allow wireguard work with firewall-cmd
|
||||||
|
* Differentiate between staff and sysadm when executing crontab with sudo
|
||||||
|
* Add crontab_admin_domtrans interface
|
||||||
|
* Allow abrt_t nnp domain transition to abrt_handle_event_t
|
||||||
|
* Allow xdm_t to watch and watch_reads mount_var_run_t
|
||||||
|
* Dontaudit subscription manager setfscreate and read file contexts
|
||||||
|
* Don't audit crontab_domain write attempts to user home
|
||||||
|
* Transition from sudodomains to crontab_t when executing crontab_exec_t
|
||||||
|
* Add crontab_domtrans interface
|
||||||
|
* Fix label of pseudoterminals created from sudodomain
|
||||||
|
* Allow utempter_t use ptmx
|
||||||
|
* Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
|
||||||
|
* Allow admin user read/write on fixed_disk_device_t
|
||||||
|
* Only allow confined user domains to login locally without unconfined_login
|
||||||
|
* Add userdom_spec_domtrans_confined_admin_users interface
|
||||||
|
* Only allow admindomain to execute shell via ssh with ssh_sysadm_login
|
||||||
|
* Add userdom_spec_domtrans_admin_users interface
|
||||||
|
* Move ssh dyntrans to unconfined inside unconfined_login tunable policy
|
||||||
|
* Update ssh_role_template() for user ssh-agent type
|
||||||
|
* Allow init to inherit system DBus file descriptors
|
||||||
|
* Allow init to inherit fds from syslogd
|
||||||
|
* Allow any domain to inherit fds from rpm-ostree
|
||||||
|
* Update afterburn policy
|
||||||
|
* Allow init_t nnp domain transition to abrtd_t
|
||||||
|
* Rename all /var/lock file context entries to /run/lock
|
||||||
|
* Rename all /var/run file context entries to /run
|
||||||
|
- Add script varrun-convert.sh for locally existing modules
|
||||||
|
to be able to cope with the /var/run -> /run change
|
||||||
|
- Update embedded container-selinux to commit
|
||||||
|
a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Mar 21 10:44:09 UTC 2024 - jsegitz@suse.com
|
Thu Mar 21 10:44:09 UTC 2024 - jsegitz@suse.com
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ Summary: SELinux policy configuration
|
|||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
Group: System/Management
|
Group: System/Management
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 20240321
|
Version: 20240411
|
||||||
Release: 0
|
Release: 0
|
||||||
Source0: %{name}-%{version}.tar.xz
|
Source0: %{name}-%{version}.tar.xz
|
||||||
Source1: container.fc
|
Source1: container.fc
|
||||||
@ -61,6 +61,9 @@ Source30: setrans-targeted.conf
|
|||||||
Source31: setrans-mls.conf
|
Source31: setrans-mls.conf
|
||||||
Source32: setrans-minimum.conf
|
Source32: setrans-minimum.conf
|
||||||
|
|
||||||
|
# Script to convert /var/run file context entries to /run
|
||||||
|
Source37: varrun-convert.sh
|
||||||
|
|
||||||
Source40: securetty_types-targeted
|
Source40: securetty_types-targeted
|
||||||
Source41: securetty_types-mls
|
Source41: securetty_types-mls
|
||||||
Source42: securetty_types-minimum
|
Source42: securetty_types-minimum
|
||||||
@ -80,20 +83,26 @@ Source95: macros.selinux-policy
|
|||||||
URL: https://github.com/fedora-selinux/selinux-policy.git
|
URL: https://github.com/fedora-selinux/selinux-policy.git
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
%if 0%{?suse_version} < 1600
|
||||||
|
%define python_for_executables python311
|
||||||
|
BuildRequires: %{python_for_executables}
|
||||||
|
BuildRequires: %{python_for_executables}-policycoreutils
|
||||||
|
%else
|
||||||
|
BuildRequires: %primary_python
|
||||||
|
BuildRequires: %{python_module policycoreutils}
|
||||||
|
%endif
|
||||||
BuildRequires: checkpolicy
|
BuildRequires: checkpolicy
|
||||||
BuildRequires: gawk
|
BuildRequires: gawk
|
||||||
BuildRequires: libxml2-tools
|
BuildRequires: libxml2-tools
|
||||||
BuildRequires: m4
|
BuildRequires: m4
|
||||||
BuildRequires: policycoreutils
|
BuildRequires: policycoreutils
|
||||||
BuildRequires: policycoreutils-devel
|
BuildRequires: policycoreutils-devel
|
||||||
BuildRequires: python3
|
|
||||||
BuildRequires: python3-policycoreutils
|
|
||||||
# we need selinuxenabled
|
# we need selinuxenabled
|
||||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
||||||
Requires(pre): pam-config
|
Requires(pre): pam-config
|
||||||
Requires(post): pam-config
|
Requires(posttrans): pam-config
|
||||||
Requires(post): selinux-tools
|
Requires(posttrans): selinux-tools
|
||||||
Requires(post): /usr/bin/sha512sum
|
Requires(posttrans): /usr/bin/sha512sum
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
Recommends: selinux-tools
|
Recommends: selinux-tools
|
||||||
# for audit2allow
|
# for audit2allow
|
||||||
@ -212,6 +221,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
|
|||||||
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
|
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
|
||||||
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
|
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
|
||||||
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
|
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
|
||||||
|
%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
|
||||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
|
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
|
||||||
%nil
|
%nil
|
||||||
|
|
||||||
@ -248,6 +258,7 @@ fi;
|
|||||||
|
|
||||||
%define postInstall() \
|
%define postInstall() \
|
||||||
. %{_sysconfdir}/selinux/config; \
|
. %{_sysconfdir}/selinux/config; \
|
||||||
|
%{_libexecdir}/selinux/varrun-convert.sh %2; \
|
||||||
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
|
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
|
||||||
rm %{_sysconfdir}/selinux/%2/.rebuild; \
|
rm %{_sysconfdir}/selinux/%2/.rebuild; \
|
||||||
/usr/sbin/semodule -B -n -s %2; \
|
/usr/sbin/semodule -B -n -s %2; \
|
||||||
@ -292,9 +303,8 @@ for i in $contrib_modules $base_modules; do \
|
|||||||
done;
|
done;
|
||||||
|
|
||||||
%description
|
%description
|
||||||
SELinux Reference Policy. A complete SELinux policy that can be used
|
A complete SELinux policy that can be used as the system policy for a variety
|
||||||
as the system policy for a variety of systems and used as the basis for
|
of systems and used as the basis for creating other policies.
|
||||||
creating other policies.
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
@ -305,6 +315,7 @@ creating other policies.
|
|||||||
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
||||||
%{_tmpfilesdir}/selinux-policy.conf
|
%{_tmpfilesdir}/selinux-policy.conf
|
||||||
%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||||
|
%{_libexecdir}/selinux/varrun-convert.sh
|
||||||
|
|
||||||
%package sandbox
|
%package sandbox
|
||||||
Summary: SELinux policy sandbox
|
Summary: SELinux policy sandbox
|
||||||
@ -372,6 +383,9 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
|
|||||||
cp $i selinux_config
|
cp $i selinux_config
|
||||||
done
|
done
|
||||||
|
|
||||||
|
mkdir -p %{buildroot}%{_libexecdir}/selinux
|
||||||
|
install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
|
||||||
|
|
||||||
make clean
|
make clean
|
||||||
%if %{BUILD_TARGETED}
|
%if %{BUILD_TARGETED}
|
||||||
%makeCmds targeted mcs allow
|
%makeCmds targeted mcs allow
|
||||||
@ -527,12 +541,12 @@ Requires(pre): selinux-policy = %{version}-%{release}
|
|||||||
Requires: selinux-policy = %{version}-%{release}
|
Requires: selinux-policy = %{version}-%{release}
|
||||||
|
|
||||||
%description targeted
|
%description targeted
|
||||||
SELinux Reference policy targeted base module.
|
SELinux policy targeted base module.
|
||||||
|
|
||||||
%pre targeted
|
%pre targeted
|
||||||
%preInstall targeted
|
%preInstall targeted
|
||||||
|
|
||||||
%post targeted
|
%posttrans targeted
|
||||||
%postInstall $1 targeted
|
%postInstall $1 targeted
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
@ -562,7 +576,7 @@ Requires(pre): selinux-policy = %{version}-%{release}
|
|||||||
Requires: selinux-policy = %{version}-%{release}
|
Requires: selinux-policy = %{version}-%{release}
|
||||||
|
|
||||||
%description minimum
|
%description minimum
|
||||||
SELinux Reference policy minimum base module.
|
SELinux policy minimum base module.
|
||||||
|
|
||||||
%pre minimum
|
%pre minimum
|
||||||
%preInstall minimum
|
%preInstall minimum
|
||||||
@ -623,12 +637,12 @@ Requires(pre): selinux-policy = %{version}-%{release}
|
|||||||
Requires: selinux-policy = %{version}-%{release}
|
Requires: selinux-policy = %{version}-%{release}
|
||||||
|
|
||||||
%description mls
|
%description mls
|
||||||
SELinux Reference policy mls base module.
|
SELinux policy mls base module.
|
||||||
|
|
||||||
%pre mls
|
%pre mls
|
||||||
%preInstall mls
|
%preInstall mls
|
||||||
|
|
||||||
%post mls
|
%posttrans mls
|
||||||
%postInstall $1 mls
|
%postInstall $1 mls
|
||||||
|
|
||||||
%postun mls
|
%postun mls
|
||||||
|
105
varrun-convert.sh
Normal file
105
varrun-convert.sh
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
### varrun-convert.sh
|
||||||
|
### convert legacy filecontext entries containing /var/run to /run
|
||||||
|
### and load an extra selinux module with the new content
|
||||||
|
### the script takes a policy name as an argument
|
||||||
|
|
||||||
|
# Set DEBUG=yes before running the script to get more verbose output
|
||||||
|
# on the terminal and to the $LOG file
|
||||||
|
if [ "${DEBUG}" = "yes" ]; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Auxiliary and log files will be created in OUTPUTDIR
|
||||||
|
OUTPUTDIR="/run/selinux-policy"
|
||||||
|
LOG="$OUTPUTDIR/log"
|
||||||
|
mkdir -p ${OUTPUTDIR}
|
||||||
|
|
||||||
|
if [ -z ${1} ]; then
|
||||||
|
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
SEMODULEOPT="-s ${1}"
|
||||||
|
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
|
||||||
|
|
||||||
|
# Take current file_contexts and unify whitespace separators
|
||||||
|
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
|
||||||
|
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
|
||||||
|
if [ ! -f ${FILE_CONTEXTS} ]; then
|
||||||
|
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
|
||||||
|
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
|
||||||
|
EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp"
|
||||||
|
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
|
||||||
|
EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
|
||||||
|
|
||||||
|
# Print only /var/run entries
|
||||||
|
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
|
||||||
|
|
||||||
|
# Unify whitespace separators
|
||||||
|
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
|
||||||
|
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
|
||||||
|
|
||||||
|
rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
|
||||||
|
touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
|
||||||
|
# Deduplicate already existing /var/run=/run entries
|
||||||
|
while read line
|
||||||
|
do
|
||||||
|
subline="${line#/var}"
|
||||||
|
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
|
||||||
|
# check for overal duplicate entries
|
||||||
|
subline2=$(echo $line | sed -E -e 's/ \S+$//')
|
||||||
|
if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then
|
||||||
|
echo "$line"
|
||||||
|
echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
|
||||||
|
else
|
||||||
|
>&2 echo "DUP: $line"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
|
||||||
|
# Change /var/run to /run
|
||||||
|
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
|
||||||
|
# Exception handling: packages with already duplicate entries
|
||||||
|
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
|
||||||
|
# Change format to cil
|
||||||
|
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
|
||||||
|
# Handle entries with <<none>> which do not match previous regexps
|
||||||
|
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
|
||||||
|
|
||||||
|
# Wrap each line with an optional block
|
||||||
|
i=1
|
||||||
|
while read line
|
||||||
|
do
|
||||||
|
echo "(optional extra_var_run_${i}"
|
||||||
|
echo " $line"
|
||||||
|
echo ")"
|
||||||
|
((i++))
|
||||||
|
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
|
||||||
|
|
||||||
|
# Load module
|
||||||
|
[ -s ${EXTRA_VARRUN_CIL} ] &&
|
||||||
|
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user