forked from pool/selinux-policy
2eaa3b6b79
- Update to version 20240411: * Remove duplicate in sysnetwork.fc * Rename /var/run/wicked* to /run/wicked* * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc * policy: support pidfs * Confine selinux-autorelabel-generator.sh * Allow logwatch_mail_t read/write to init over a unix stream socket * Allow logwatch read logind sessions files * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it * Allow NetworkManager the sys_ptrace capability in user namespace * dontaudit execmem for modemmanager * Allow dhcpcd use unix_stream_socket * Allow dhcpc read /run/netns files * Update mmap_rw_file_perms to include the lock permission * Allow plymouthd log during shutdown * Add logging_watch_all_log_dirs() and logging_watch_all_log_files() * Allow journalctl_t read filesystem sysctls * Allow cgred_t to get attributes of cgroup filesystems * Allow wdmd read hardware state information * Allow wdmd list the contents of the sysfs directories * Allow linuxptp configure phc2sys and chronyd over a unix domain socket * Allow sulogin relabel tty1 * Dontaudit sulogin the checkpoint_restore capability * Modify sudo_role_template() to allow getpgid * Allow userdomain get attributes of files on an nsfs filesystem * Allow opafm create NFS files and directories * Allow virtqemud create and unlink files in /etc/libvirt/ * Allow virtqemud domain transition on swtpm execution * Add the swtpm.if interface file for interactions with other domains * Allow samba to have dac_override capability * systemd: allow sys_admin capability for systemd_notify_t * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets * Allow thumb_t to watch and watch_reads mount_var_run_t * Allow krb5kdc_t map krb5kdc_principal_t files * Allow unprivileged confined user dbus chat with setroubleshoot * Allow login_userdomain map files in /var * Allow wireguard work with firewall-cmd * Differentiate between staff and sysadm when executing crontab with sudo * Add crontab_admin_domtrans interface * Allow abrt_t nnp domain transition to abrt_handle_event_t * Allow xdm_t to watch and watch_reads mount_var_run_t * Dontaudit subscription manager setfscreate and read file contexts * Don't audit crontab_domain write attempts to user home * Transition from sudodomains to crontab_t when executing crontab_exec_t * Add crontab_domtrans interface * Fix label of pseudoterminals created from sudodomain * Allow utempter_t use ptmx * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket * Allow admin user read/write on fixed_disk_device_t * Only allow confined user domains to login locally without unconfined_login * Add userdom_spec_domtrans_confined_admin_users interface * Only allow admindomain to execute shell via ssh with ssh_sysadm_login * Add userdom_spec_domtrans_admin_users interface * Move ssh dyntrans to unconfined inside unconfined_login tunable policy * Update ssh_role_template() for user ssh-agent type * Allow init to inherit system DBus file descriptors * Allow init to inherit fds from syslogd * Allow any domain to inherit fds from rpm-ostree * Update afterburn policy * Allow init_t nnp domain transition to abrtd_t * Rename all /var/lock file context entries to /run/lock * Rename all /var/run file context entries to /run - Add script varrun-convert.sh for locally existing modules to be able to cope with the /var/run -> /run change - Update embedded container-selinux to commit a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e OBS-URL: https://build.opensuse.org/request/show/1166915 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=217
168 lines
13 KiB
Plaintext
168 lines
13 KiB
Plaintext
/root/\.docker gen_context(system_u:object_r:container_home_t,s0)
|
|
|
|
/usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
|
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
|
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
|
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
|
/usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
|
/usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
|
/usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
|
/usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
|
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
|
|
/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
|
|
/usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
|
|
/usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
|
|
/usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0)
|
|
/usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
/usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
|
|
|
|
/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
|
/usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
|
/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
|
/usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
|
|
|
|
/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
/etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
/etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
/etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
|
|
/var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
|
/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
|
|
/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir.
|
|
/var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
/var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
|
|
/var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
# "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and "hosts.<RANDOM>", for OCI (runc) worker mode.
|
|
/var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
# "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and hosts.<RANDOM>, for containerd worker mode.
|
|
# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
|
|
/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
|
|
HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
|
|
|
|
/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/atomic(/.*)? <<none>>
|
|
/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
|
|
/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
|
|
/var/cache/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
|
|
/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0)
|
|
|
|
/var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
/opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
|
|
/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
|
|
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
|
|
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
|
|
/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
|
|
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
|
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
|
|
|
/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
|
|
/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
|
|
/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0)
|
|
|
|
/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
|
|
/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0)
|
|
|
|
/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
|
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
|
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0)
|