├── .fmf └── version ├── .gitignore ├── .packit.yaml ├── CODE-OF-CONDUCT.md ├── LICENSE ├── Makefile ├── NOTICE ├── OWNERS ├── README.md ├── SECURITY.md ├── container.fc ├── container.if ├── container.te ├── container_contexts ├── container_selinux.8 ├── container_u ├── plans └── main.fmf ├── rpm ├── container-selinux.spec └── gating.yaml ├── test ├── main.fmf └── podman-tests.sh └── udica-templates ├── base_container.cil ├── config_container.cil ├── home_container.cil ├── log_container.cil ├── net_container.cil ├── tmp_container.cil ├── tty_container.cil ├── virt_container.cil └── x_container.cil /.fmf/version: -------------------------------------------------------------------------------- 1 | 1 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /container-selinux-e06212c.tar.gz 2 | -------------------------------------------------------------------------------- /.packit.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # See the documentation for more information: 3 | # https://packit.dev/docs/configuration/ 4 | 5 | downstream_package_name: container-selinux 6 | upstream_tag_template: v{version} 7 | 8 | # Ref: https://packit.dev/docs/configuration#files_to_sync 9 | files_to_sync: 10 | - src: rpm/gating.yaml 11 | dest: gating.yaml 12 | delete: true 13 | - src: plans/ 14 | dest: plans/ 15 | delete: true 16 | mkpath: true 17 | - src: test/ 18 | dest: test/ 19 | delete: true 20 | mkpath: true 21 | - src: .fmf/ 22 | dest: .fmf/ 23 | delete: true 24 | - .packit.yaml 25 | 26 | packages: 27 | container-selinux-fedora: 28 | pkg_tool: fedpkg 29 | specfile_path: rpm/container-selinux.spec 30 | container-selinux-centos: 31 | pkg_tool: centpkg 32 | specfile_path: rpm/container-selinux.spec 33 | container-selinux-eln: 34 | specfile_path: rpm/container-selinux.spec 35 | 36 | srpm_build_deps: 37 | - make 38 | 39 | jobs: 40 | - job: copr_build 41 | trigger: pull_request 42 | packages: [container-selinux-fedora] 43 | notifications: &copr_build_failure_notification 44 | failure_comment: 45 | message: "Ephemeral COPR build failed. @containers/packit-build please check." 46 | enable_net: true 47 | # container-selinux is noarch so we only need to test on one arch 48 | targets: &fedora_copr_targets 49 | - fedora-all-x86_64 50 | - fedora-all-aarch64 51 | 52 | - job: copr_build 53 | trigger: pull_request 54 | packages: [container-selinux-eln] 55 | notifications: *copr_build_failure_notification 56 | enable_net: true 57 | targets: 58 | - fedora-eln-x86_64 59 | - fedora-eln-aarch64 60 | 61 | - job: copr_build 62 | trigger: pull_request 63 | packages: [container-selinux-centos] 64 | notifications: *copr_build_failure_notification 65 | enable_net: true 66 | targets: ¢os_copr_targets 67 | - centos-stream-9-x86_64 68 | - centos-stream-9-aarch64 69 | - centos-stream-10-x86_64 70 | - centos-stream-10-aarch64 71 | 72 | # Run on commit to main branch 73 | # Build targets managed in copr settings 74 | - job: copr_build 75 | trigger: commit 76 | packages: [container-selinux-fedora] 77 | notifications: 78 | failure_comment: 79 | message: "podman-next COPR build failed. @containers/packit-build please check." 80 | branch: main 81 | owner: rhcontainerbot 82 | project: podman-next 83 | enable_net: true 84 | 85 | # All tests specified in the `/plans/` subdir 86 | # Tests for Fedora 87 | - job: tests 88 | trigger: pull_request 89 | packages: [container-selinux-fedora] 90 | notifications: &test_failure_notification 91 | failure_comment: 92 | message: "Tests failed. @containers/packit-build please check." 93 | targets: *fedora_copr_targets 94 | tf_extra_params: 95 | environments: 96 | - artifacts: 97 | - type: repository-file 98 | id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo 99 | 100 | # Tests for CentOS Stream 101 | - job: tests 102 | trigger: pull_request 103 | packages: [container-selinux-centos] 104 | notifications: *test_failure_notification 105 | targets: *centos_copr_targets 106 | tf_extra_params: 107 | environments: 108 | - artifacts: 109 | - type: repository-file 110 | id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo 111 | 112 | - job: propose_downstream 113 | trigger: release 114 | packages: [container-selinux-fedora] 115 | dist_git_branches: &fedora_targets 116 | - fedora-all 117 | 118 | - job: propose_downstream 119 | trigger: release 120 | packages: [container-selinux-centos] 121 | dist_git_branches: 122 | - c10s 123 | 124 | - job: koji_build 125 | trigger: commit 126 | packages: [container-selinux-fedora] 127 | dist_git_branches: *fedora_targets 128 | 129 | - job: bodhi_update 130 | trigger: commit 131 | packages: [container-selinux-fedora] 132 | dist_git_branches: 133 | - fedora-branched # rawhide updates are created automatically 134 | -------------------------------------------------------------------------------- /CODE-OF-CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## The container-selinux Project Community Code of Conduct 2 | 3 | The container-selinux project follows the [Containers Community Code of Conduct](https://github.com/containers/common/blob/master/CODE-OF-CONDUCT.md). 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | TARGETS ?= container 2 | MODULES ?= ${TARGETS:=.pp.bz2} 3 | # DATADIR seems to be the more commonly used variable 4 | # Point SHAREDIR to DATADIR by default to not break existing users 5 | DATADIR ?= /usr/share 6 | SHAREDIR ?= ${DATADIR} 7 | SYSCONFDIR ?= /etc 8 | 9 | all: ${TARGETS:=.pp.bz2} 10 | 11 | %.pp.bz2: %.pp 12 | @echo Compressing $^ -\> $@ 13 | bzip2 -f -9 $^ 14 | 15 | %.pp: %.te 16 | make -f ${SHAREDIR}/selinux/devel/Makefile $@ 17 | 18 | clean: 19 | rm -f *~ *.tc *.pp *.pp.bz2 20 | rm -rf tmp *.tar.gz 21 | 22 | man: install-policy 23 | sepolicy manpage --path . --domain ${TARGETS}_t 24 | 25 | install-policy: all 26 | semodule -i ${TARGETS}.pp.bz2 27 | 28 | install: man 29 | install -D -pm 644 ${TARGETS}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/container.pp.bz2 30 | install -D -pm 644 container.if ${DESTDIR}${SHAREDIR}/selinux/devel/include/services/container.if 31 | install -D -pm 644 container_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/container_selinux.8 32 | install -D -pm 644 container_contexts ${DESTDIR}${SHAREDIR}/containers/selinux/contexts 33 | 34 | install.selinux-user: 35 | install -D -pm 644 container_u ${DESTDIR}${SYSCONFDIR}/selinux/targeted/contexts/users/container_u 36 | 37 | install.udica-templates: 38 | install -dp $(DESTDIR)$(SHAREDIR)/udica/templates 39 | install -pm 644 udica-templates/*.cil $(DESTDIR)$(SHAREDIR)/udica/templates 40 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2015, 2020, Free Software Foundation, Inc. 2 | 3 | This program is free software; you can redistribute it and/or 4 | modify it under the terms of the GNU General Public License 5 | as published by the Free Software Foundation; either version 2 6 | of the License, or (at your option) any later version. 7 | 8 | This program is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | GNU General Public License for more details. 12 | 13 | You should have received a copy of the GNU General Public License 14 | along with this program; if not, write to the Free Software 15 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 16 | -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - haircommander 3 | - lsm5 4 | - rhatdan 5 | - wrabcak 6 | - zpytela 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SELinux Policy for Container Runtimes 2 | 3 | ## Blogs on SELinux Policy 4 | 5 | **[Container Labeling](https://danwalsh.livejournal.com/81269.html)** 6 | Explains `container_t` vs `container_var_lib_t` 7 | 8 | **[`container_t` versus `svirt_lxc_net_t`](https://danwalsh.livejournal.com/79191.html)** 9 | Clarifys `container_t` versus `svirt_lxc_net_t` aliases 10 | 11 | **[SELinux, Podman, and Libvirt](https://danwalsh.livejournal.com/81143.html)** 12 | Information regarding SELinux blocking Podman container from talking to Libvirt 13 | 14 | **[Caution Relabeling Volumes with Container Runtimes](https://danwalsh.livejournal.com/76016.html)** 15 | Explains effects of relabeling volumes with `:Z` 16 | 17 | **[Container Domains (Types)](https://danwalsh.livejournal.com/81756.html)** 18 | Explanation of SELinux Domain types. 19 | 20 | **[Containers and MLS](https://danwalsh.livejournal.com/77830.html)** 21 | Container-selinux policy support of MLS (Multi Level Security). 22 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | ## Security and Disclosure Information Policy for the container-selinux Project 2 | 3 | The container-selinux Project follows the [Security and Disclosure Information Policy](https://github.com/containers/common/blob/master/SECURITY.md) for the Containers Projects. 4 | 5 | -------------------------------------------------------------------------------- /container.fc: -------------------------------------------------------------------------------- 1 | /root/\.docker gen_context(system_u:object_r:container_home_t,s0) 2 | 3 | /usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 4 | /usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 5 | /usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 6 | /usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 7 | /usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 8 | /usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) 9 | /usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) 10 | /usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) 11 | /usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) 12 | /usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) 13 | /usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) 14 | /usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) 15 | /usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) 16 | /usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 17 | /usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 18 | /usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 19 | /usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 20 | /usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 21 | /usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 22 | 23 | /usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 24 | /usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 25 | /usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 26 | /usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 27 | /usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 28 | /usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 29 | /usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 30 | /usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 31 | /usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 32 | /usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) 33 | /usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) 34 | /usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 35 | /usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 36 | /usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 37 | /usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 38 | /usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 39 | /usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 40 | /usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 41 | /usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 42 | /usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 43 | /usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 44 | /usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 45 | /usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 46 | /usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 47 | /usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) 48 | /usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 49 | /usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 50 | /usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 51 | /usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) 52 | /usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 53 | /usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 54 | 55 | /usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 56 | /usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 57 | /usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 58 | /usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 59 | 60 | /etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0) 61 | /etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0) 62 | /etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) 63 | /etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0) 64 | /etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0) 65 | /exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 66 | 67 | /var/lib/shared(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 68 | /var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 69 | /var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 70 | /var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 71 | /var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 72 | /var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) 73 | /var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) 74 | /var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) 75 | /var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) 76 | /var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 77 | /var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 78 | /var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 79 | 80 | /var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 81 | # The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. 82 | /var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) 83 | /var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 84 | /var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 85 | /var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0) 86 | 87 | /var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 88 | /var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) 89 | # "/var/lib/buildkit/runc-/executor" contains "resolv.conf" and "hosts.", for OCI (runc) worker mode. 90 | /var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) 91 | # "/var/lib/buildkit/containerd-" contains resolv.conf and hosts., for containerd worker mode. 92 | # Unlike the runc- directory, this directory does not contain the "executor" directory inside it. 93 | /var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) 94 | 95 | HOME_DIR/\.local/share/ramalama(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 96 | HOME_DIR/\.local/share/containers/storage/artifacts(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 97 | HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 98 | HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 99 | HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 100 | HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 101 | HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 102 | HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 103 | HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) 104 | 105 | /var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 106 | /var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 107 | /var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 108 | /var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 109 | /var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 110 | /var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 111 | /var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 112 | /var/lib/containers/atomic(/.*)? <> 113 | /var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) 114 | /var/lib/containers/storage/artifacts(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 115 | /var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 116 | /var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 117 | /var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 118 | /var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 119 | /var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 120 | /var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 121 | /var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 122 | /var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 123 | 124 | /var/cache/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 125 | /var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 126 | /var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 127 | 128 | /run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) 129 | 130 | /var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) 131 | /opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) 132 | 133 | /var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0) 134 | /var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) 135 | 136 | /var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 137 | /var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0) 138 | /var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 139 | /var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) 140 | /var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) 141 | /var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) 142 | /var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) 143 | /var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 144 | /var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 145 | /var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) 146 | 147 | /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 148 | /var/lib/crio(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 149 | /run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 150 | /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) 151 | /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) 152 | 153 | /run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 154 | /run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 155 | /run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 156 | /run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 157 | /run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) 158 | /run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 159 | /run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) 160 | /run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) 161 | /run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 162 | /run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) 163 | 164 | /srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) 165 | /var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) 166 | 167 | /run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) 168 | 169 | /var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:container_log_t,s0) 170 | /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) 171 | /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) 172 | /etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) 173 | -------------------------------------------------------------------------------- /container.if: -------------------------------------------------------------------------------- 1 | ## The open-source application container engine. 2 | 3 | ######################################## 4 | ## 5 | ## Execute container in the container domain. 6 | ## 7 | ## 8 | ## 9 | ## Domain allowed to transition. 10 | ## 11 | ## 12 | # 13 | interface(`container_runtime_domtrans',` 14 | gen_require(` 15 | type container_runtime_t, container_runtime_exec_t; 16 | type container_runtime_tmpfs_t; 17 | ') 18 | 19 | corecmd_search_bin($1) 20 | domtrans_pattern($1, container_runtime_exec_t, container_runtime_t) 21 | allow container_runtime_t $1:fifo_file setattr; 22 | ') 23 | 24 | ######################################## 25 | ## 26 | ## Execute container runtime in the container runtime domain 27 | ## 28 | ## 29 | ## 30 | ## Domain allowed to transition. 31 | ## 32 | ## 33 | ## 34 | ## 35 | ## Role allowed access. 36 | ## 37 | ## 38 | ## 39 | # 40 | interface(`container_runtime_run',` 41 | gen_require(` 42 | type container_runtime_t; 43 | class dbus send_msg; 44 | ') 45 | 46 | container_runtime_domtrans($1) 47 | role $2 types container_runtime_t; 48 | allow $1 container_runtime_t:dbus send_msg; 49 | ') 50 | 51 | 52 | ######################################## 53 | ## 54 | ## Execute container in the caller domain. 55 | ## 56 | ## 57 | ## 58 | ## Domain allowed to transition. 59 | ## 60 | ## 61 | # 62 | interface(`container_runtime_exec',` 63 | gen_require(` 64 | type container_runtime_exec_t; 65 | ') 66 | 67 | corecmd_search_bin($1) 68 | can_exec($1, container_runtime_exec_t) 69 | ') 70 | 71 | ######################################## 72 | ## 73 | ## Read the process state of container runtime 74 | ## 75 | ## 76 | ## 77 | ## Domain allowed access. 78 | ## 79 | ## 80 | # 81 | interface(`container_read_state',` 82 | gen_require(` 83 | type container_runtime_t; 84 | ') 85 | 86 | ps_process_pattern($1, container_runtime_t) 87 | ') 88 | 89 | ######################################## 90 | ## 91 | ## Search container lib directories. 92 | ## 93 | ## 94 | ## 95 | ## Domain allowed access. 96 | ## 97 | ## 98 | # 99 | interface(`container_search_lib',` 100 | gen_require(` 101 | type container_var_lib_t; 102 | ') 103 | 104 | allow $1 container_var_lib_t:dir search_dir_perms; 105 | files_search_var_lib($1) 106 | ') 107 | 108 | ######################################## 109 | ## 110 | ## Execute container lib directories. 111 | ## 112 | ## 113 | ## 114 | ## Domain allowed access. 115 | ## 116 | ## 117 | # 118 | interface(`container_exec_lib',` 119 | gen_require(` 120 | type container_var_lib_t; 121 | ') 122 | 123 | allow $1 container_var_lib_t:dir search_dir_perms; 124 | can_exec($1, container_var_lib_t) 125 | ') 126 | 127 | ######################################## 128 | ## 129 | ## Read container lib files. 130 | ## 131 | ## 132 | ## 133 | ## Domain allowed access. 134 | ## 135 | ## 136 | # 137 | interface(`container_read_lib_files',` 138 | gen_require(` 139 | type container_var_lib_t; 140 | ') 141 | 142 | files_search_var_lib($1) 143 | read_files_pattern($1, container_var_lib_t, container_var_lib_t) 144 | ') 145 | 146 | ######################################## 147 | ## 148 | ## Read container share files. 149 | ## 150 | ## 151 | ## 152 | ## Domain allowed access. 153 | ## 154 | ## 155 | # 156 | interface(`container_read_share_files',` 157 | gen_require(` 158 | type container_ro_file_t; 159 | ') 160 | 161 | files_search_var_lib($1) 162 | list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) 163 | read_files_pattern($1, container_ro_file_t, container_ro_file_t) 164 | read_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) 165 | ') 166 | 167 | ######################################## 168 | ## 169 | ## Read container runtime tmpfs files. 170 | ## 171 | ## 172 | ## 173 | ## Domain allowed access. 174 | ## 175 | ## 176 | # 177 | interface(`container_runtime_read_tmpfs_files',` 178 | gen_require(` 179 | type container_runtime_tmpfs_t; 180 | ') 181 | 182 | files_search_var_lib($1) 183 | list_dirs_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 184 | read_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 185 | read_lnk_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 186 | ') 187 | 188 | ######################################## 189 | ## 190 | ## Manage container share files. 191 | ## 192 | ## 193 | ## 194 | ## Domain allowed access. 195 | ## 196 | ## 197 | # 198 | interface(`container_manage_share_files',` 199 | gen_require(` 200 | type container_ro_file_t; 201 | ') 202 | 203 | files_search_var_lib($1) 204 | list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) 205 | manage_files_pattern($1, container_ro_file_t, container_ro_file_t) 206 | manage_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) 207 | ') 208 | 209 | ######################################## 210 | ## 211 | ## Manage container share dirs. 212 | ## 213 | ## 214 | ## 215 | ## Domain allowed access. 216 | ## 217 | ## 218 | # 219 | interface(`container_manage_share_dirs',` 220 | gen_require(` 221 | type container_ro_file_t; 222 | ') 223 | 224 | files_search_var_lib($1) 225 | manage_dirs_pattern($1, container_ro_file_t, container_ro_file_t) 226 | ') 227 | 228 | ###################################### 229 | ## 230 | ## Allow the specified domain to execute container shared files 231 | ## in the caller domain. 232 | ## 233 | ## 234 | ## 235 | ## Domain allowed access. 236 | ## 237 | ## 238 | # 239 | interface(`container_exec_share_files',` 240 | gen_require(` 241 | type container_ro_file_t; 242 | ') 243 | 244 | can_exec($1, container_ro_file_t) 245 | ') 246 | 247 | ######################################## 248 | ## 249 | ## Manage container config files. 250 | ## 251 | ## 252 | ## 253 | ## Domain allowed access. 254 | ## 255 | ## 256 | # 257 | interface(`container_manage_config_files',` 258 | gen_require(` 259 | type container_config_t; 260 | type kubernetes_file_t; 261 | ') 262 | 263 | files_search_var_lib($1) 264 | manage_files_pattern($1, container_config_t, container_config_t) 265 | manage_dirs_pattern($1, kubernetes_file_t, kubernetes_file_t) 266 | manage_files_pattern($1, kubernetes_file_t, kubernetes_file_t) 267 | ') 268 | 269 | ######################################## 270 | ## 271 | ## Manage container lib files. 272 | ## 273 | ## 274 | ## 275 | ## Domain allowed access. 276 | ## 277 | ## 278 | # 279 | interface(`container_manage_lib_files',` 280 | gen_require(` 281 | type container_var_lib_t; 282 | ') 283 | 284 | files_search_var_lib($1) 285 | manage_files_pattern($1, container_var_lib_t, container_var_lib_t) 286 | manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t) 287 | ') 288 | 289 | ######################################## 290 | ## 291 | ## Manage container files. 292 | ## 293 | ## 294 | ## 295 | ## Domain allowed access. 296 | ## 297 | ## 298 | # 299 | interface(`container_manage_files',` 300 | gen_require(` 301 | type container_file_t; 302 | ') 303 | 304 | manage_files_pattern($1, container_file_t, container_file_t) 305 | manage_lnk_files_pattern($1, container_file_t, container_file_t) 306 | ') 307 | 308 | ######################################## 309 | ## 310 | ## Manage container directories. 311 | ## 312 | ## 313 | ## 314 | ## Domain allowed access. 315 | ## 316 | ## 317 | # 318 | interface(`container_manage_dirs',` 319 | gen_require(` 320 | type container_file_t; 321 | ') 322 | 323 | manage_dirs_pattern($1, container_file_t, container_file_t) 324 | ') 325 | 326 | ######################################## 327 | ## 328 | ## Manage container lib directories. 329 | ## 330 | ## 331 | ## 332 | ## Domain allowed access. 333 | ## 334 | ## 335 | # 336 | interface(`container_manage_lib_dirs',` 337 | gen_require(` 338 | type container_var_lib_t; 339 | ') 340 | 341 | files_search_var_lib($1) 342 | manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t) 343 | ') 344 | 345 | ######################################## 346 | ## 347 | ## Create objects in a container var lib directory 348 | ## with an automatic type transition to 349 | ## a specified private type. 350 | ## 351 | ## 352 | ## 353 | ## Domain allowed access. 354 | ## 355 | ## 356 | ## 357 | ## 358 | ## The type of the object to create. 359 | ## 360 | ## 361 | ## 362 | ## 363 | ## The class of the object to be created. 364 | ## 365 | ## 366 | ## 367 | ## 368 | ## The name of the object being created. 369 | ## 370 | ## 371 | # 372 | interface(`container_lib_filetrans',` 373 | gen_require(` 374 | type container_var_lib_t; 375 | ') 376 | 377 | filetrans_pattern($1, container_var_lib_t, $2, $3, $4) 378 | ') 379 | 380 | ######################################## 381 | ## 382 | ## Read container PID files. 383 | ## 384 | ## 385 | ## 386 | ## Domain allowed access. 387 | ## 388 | ## 389 | # 390 | interface(`container_read_pid_files',` 391 | gen_require(` 392 | type container_var_run_t; 393 | ') 394 | 395 | files_search_pids($1) 396 | read_files_pattern($1, container_var_run_t, container_var_run_t) 397 | ') 398 | 399 | ######################################## 400 | ## 401 | ## Execute container server in the container domain. 402 | ## 403 | ## 404 | ## 405 | ## Domain allowed to transition. 406 | ## 407 | ## 408 | # 409 | interface(`container_systemctl',` 410 | gen_require(` 411 | type container_runtime_t; 412 | type container_unit_file_t; 413 | ') 414 | 415 | systemd_exec_systemctl($1) 416 | init_reload_services($1) 417 | systemd_read_fifo_file_passwd_run($1) 418 | allow $1 container_unit_file_t:file read_file_perms; 419 | allow $1 container_unit_file_t:service manage_service_perms; 420 | 421 | ps_process_pattern($1, container_runtime_t) 422 | ') 423 | 424 | ######################################## 425 | ## 426 | ## Read and write container shared memory. 427 | ## 428 | ## 429 | ## 430 | ## Domain allowed access. 431 | ## 432 | ## 433 | # 434 | interface(`container_rw_sem',` 435 | gen_require(` 436 | type container_runtime_t; 437 | ') 438 | 439 | allow $1 container_runtime_t:sem rw_sem_perms; 440 | ') 441 | 442 | ######################################## 443 | ## 444 | ## Allow the specified domain to append 445 | ## to container files. 446 | ## 447 | ## 448 | ## 449 | ## Domain allowed access. 450 | ## 451 | ## 452 | # 453 | interface(`container_append_file',` 454 | gen_require(` 455 | type container_file_t; 456 | ') 457 | 458 | append_files_pattern($1, container_file_t, container_file_t) 459 | ') 460 | 461 | ####################################### 462 | ## 463 | ## Read and write the container pty type. 464 | ## 465 | ## 466 | ## 467 | ## Domain allowed access. 468 | ## 469 | ## 470 | # 471 | interface(`container_use_ptys',` 472 | gen_require(` 473 | type container_devpts_t; 474 | ') 475 | 476 | allow $1 container_devpts_t:chr_file rw_term_perms; 477 | ') 478 | 479 | ####################################### 480 | ## 481 | ## Allow domain to create container content 482 | ## 483 | ## 484 | ## 485 | ## Domain allowed access. 486 | ## 487 | ## 488 | # 489 | interface(`container_filetrans_named_content',` 490 | 491 | gen_require(` 492 | type container_var_lib_t; 493 | type container_file_t; 494 | type container_ro_file_t; 495 | type container_log_t; 496 | type container_var_run_t; 497 | type container_home_t; 498 | type kubernetes_file_t; 499 | type container_runtime_tmpfs_t; 500 | type container_kvm_var_run_t; 501 | type data_home_t; 502 | ') 503 | 504 | files_pid_filetrans($1, container_var_run_t, file, "container.pid") 505 | files_pid_filetrans($1, container_var_run_t, file, "docker.pid") 506 | files_pid_filetrans($1, container_var_run_t, sock_file, "container.sock") 507 | files_pid_filetrans($1, container_var_run_t, dir, "container-client") 508 | files_pid_filetrans($1, container_var_run_t, dir, "docker") 509 | files_pid_filetrans($1, container_var_run_t, dir, "containerd") 510 | files_pid_filetrans($1, container_var_run_t, dir, "buildkit") 511 | files_pid_filetrans($1, container_var_run_t, dir, "ocid") 512 | files_pid_filetrans($1, container_var_run_t, dir, "containers") 513 | files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers") 514 | 515 | logging_log_filetrans($1, container_log_t, dir, "kube-apiserver") 516 | logging_log_filetrans($1, container_log_t, dir, "lxc") 517 | files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") 518 | files_var_lib_filetrans($1, container_file_t, dir, "origin") 519 | files_var_lib_filetrans($1, container_var_lib_t, dir, "ocid") 520 | files_var_lib_filetrans($1, container_var_lib_t, dir, "docker") 521 | files_var_lib_filetrans($1, container_var_lib_t, dir, "docker-latest") 522 | files_var_filetrans($1, container_ro_file_t, dir, "kata-containers") 523 | files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers") 524 | files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd") 525 | files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit") 526 | files_var_lib_filetrans($1, container_ro_file_t, dir, "shared") 527 | 528 | filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data") 529 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env") 530 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hosts") 531 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hostname") 532 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "resolv.conf") 533 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "sandboxes") 534 | # The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. 535 | # (lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs, 536 | # upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/fs, 537 | # workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work) 538 | filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots") 539 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init") 540 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "artifacts") 541 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay") 542 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images") 543 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers") 544 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2") 545 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-images") 546 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-layers") 547 | 548 | # "/var/lib/buildkit/runc-/executor" contains "resolv.conf" and "hosts.", for OCI (runc) worker mode. 549 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "executor") 550 | 551 | # "/var/lib/buildkit/containerd-" contains resolv.conf and hosts., for containerd worker mode. 552 | # Unlike the runc- directory, this directory does not contain the "executor" directory inside it. 553 | # Core snapshotters 554 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlayfs") 555 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-native") 556 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-btrfs") 557 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-zfs") 558 | # Non-core snapshotters 559 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-fuse-overlayfs") 560 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-nydus") 561 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlaybd") 562 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-stargz") 563 | # Third-party snapshotters 564 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci") 565 | 566 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama") 567 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "artifacts") 568 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay") 569 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images") 570 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers") 571 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2") 572 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images") 573 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers") 574 | 575 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic") 576 | userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container") 577 | filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers") 578 | filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers") 579 | filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") 580 | files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes") 581 | ') 582 | 583 | ######################################## 584 | ## 585 | ## Connect to container over a unix stream socket. 586 | ## 587 | ## 588 | ## 589 | ## Domain allowed access. 590 | ## 591 | ## 592 | # 593 | interface(`container_stream_connect',` 594 | gen_require(` 595 | type container_runtime_t, container_var_run_t, container_runtime_tmpfs_t; 596 | ') 597 | 598 | files_search_pids($1) 599 | stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t) 600 | stream_connect_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t, container_runtime_t) 601 | allow $1 container_runtime_tmpfs_t:lnk_file read_lnk_file_perms; 602 | ') 603 | 604 | ######################################## 605 | ## 606 | ## Connect to SPC containers over a unix stream socket. 607 | ## 608 | ## 609 | ## 610 | ## Domain allowed access. 611 | ## 612 | ## 613 | # 614 | interface(`container_spc_stream_connect',` 615 | gen_require(` 616 | type spc_t, spc_var_run_t; 617 | ') 618 | 619 | files_search_pids($1) 620 | allow $1 spc_t:unix_stream_socket connectto; 621 | ') 622 | 623 | ######################################## 624 | ## 625 | ## All of the rules required to administrate 626 | ## an container environment 627 | ## 628 | ## 629 | ## 630 | ## Domain allowed access. 631 | ## 632 | ## 633 | # 634 | interface(`container_admin',` 635 | gen_require(` 636 | type container_runtime_t; 637 | type container_var_lib_t, container_var_run_t; 638 | type container_unit_file_t; 639 | type container_lock_t; 640 | type container_log_t; 641 | type container_config_t; 642 | type container_file_t; 643 | ') 644 | 645 | allow $1 container_runtime_t:process { ptrace signal_perms }; 646 | ps_process_pattern($1, container_runtime_t) 647 | 648 | admin_pattern($1, container_config_t) 649 | 650 | files_search_var_lib($1) 651 | admin_pattern($1, container_var_lib_t) 652 | 653 | files_search_pids($1) 654 | admin_pattern($1, container_var_run_t) 655 | 656 | files_search_locks($1) 657 | admin_pattern($1, container_lock_t) 658 | 659 | logging_search_logs($1) 660 | admin_pattern($1, container_log_t) 661 | 662 | container_systemctl($1) 663 | admin_pattern($1, container_unit_file_t) 664 | allow $1 container_unit_file_t:service all_service_perms; 665 | 666 | admin_pattern($1, container_file_t) 667 | 668 | optional_policy(` 669 | systemd_passwd_agent_exec($1) 670 | systemd_read_fifo_file_passwd_run($1) 671 | ') 672 | ') 673 | 674 | ######################################## 675 | ## 676 | ## Execute container_auth_exec_t in the container_auth domain. 677 | ## 678 | ## 679 | ## 680 | ## Domain allowed to transition. 681 | ## 682 | ## 683 | # 684 | interface(`container_auth_domtrans',` 685 | gen_require(` 686 | type container_auth_t, container_auth_exec_t; 687 | ') 688 | 689 | corecmd_search_bin($1) 690 | domtrans_pattern($1, container_auth_exec_t, container_auth_t) 691 | ') 692 | 693 | ###################################### 694 | ## 695 | ## Execute container_auth in the caller domain. 696 | ## 697 | ## 698 | ## 699 | ## Domain allowed access. 700 | ## 701 | ## 702 | # 703 | interface(`container_auth_exec',` 704 | gen_require(` 705 | type container_auth_exec_t; 706 | ') 707 | 708 | corecmd_search_bin($1) 709 | can_exec($1, container_auth_exec_t) 710 | ') 711 | 712 | ######################################## 713 | ## 714 | ## Connect to container_auth over a unix stream socket. 715 | ## 716 | ## 717 | ## 718 | ## Domain allowed access. 719 | ## 720 | ## 721 | # 722 | interface(`container_auth_stream_connect',` 723 | gen_require(` 724 | type container_auth_t, container_plugin_var_run_t; 725 | ') 726 | 727 | files_search_pids($1) 728 | stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) 729 | ') 730 | 731 | ######################################## 732 | ## 733 | ## container domain typebounds calling domain. 734 | ## 735 | ## 736 | ## 737 | ## Domain to be typebound. 738 | ## 739 | ## 740 | # 741 | interface(`container_runtime_typebounds',` 742 | gen_require(` 743 | type container_runtime_t; 744 | ') 745 | 746 | allow container_runtime_t $1:process2 nnp_transition; 747 | ') 748 | 749 | ######################################## 750 | ## 751 | ## Allow any container_runtime_exec_t to be an entrypoint of this domain 752 | ## 753 | ## 754 | ## 755 | ## Domain allowed access. 756 | ## 757 | ## 758 | ## 759 | # 760 | interface(`container_runtime_entrypoint',` 761 | gen_require(` 762 | type container_runtime_exec_t; 763 | ') 764 | allow $1 container_runtime_exec_t:file entrypoint; 765 | ') 766 | 767 | interface(`docker_exec_lib',` 768 | container_exec_lib($1) 769 | ') 770 | 771 | interface(`docker_read_share_files',` 772 | container_read_share_files($1) 773 | ') 774 | 775 | interface(`docker_exec_share_files',` 776 | container_exec_share_files($1) 777 | ') 778 | 779 | interface(`docker_manage_lib_files',` 780 | container_manage_lib_files($1) 781 | ') 782 | 783 | 784 | interface(`docker_manage_lib_dirs',` 785 | container_manage_lib_dirs($1) 786 | ') 787 | 788 | interface(`docker_lib_filetrans',` 789 | container_lib_filetrans($1, $2, $3, $4) 790 | ') 791 | 792 | interface(`docker_read_pid_files',` 793 | container_read_pid_files($1) 794 | ') 795 | 796 | interface(`docker_systemctl',` 797 | container_systemctl($1) 798 | ') 799 | 800 | interface(`docker_use_ptys',` 801 | container_use_ptys($1) 802 | ') 803 | 804 | interface(`docker_stream_connect',` 805 | container_stream_connect($1) 806 | ') 807 | 808 | interface(`docker_spc_stream_connect',` 809 | container_spc_stream_connect($1) 810 | ') 811 | 812 | ######################################## 813 | ## 814 | ## Read the process state of spc containers 815 | ## 816 | ## 817 | ## 818 | ## Domain allowed access. 819 | ## 820 | ## 821 | # 822 | interface(`container_spc_read_state',` 823 | gen_require(` 824 | type spc_t; 825 | ') 826 | 827 | ps_process_pattern($1, spc_t) 828 | ') 829 | 830 | ######################################## 831 | ## 832 | ## Creates types and rules for a basic 833 | ## container runtime process domain. 834 | ## 835 | ## 836 | ## 837 | ## Prefix for the domain. 838 | ## 839 | ## 840 | # 841 | template(`container_runtime_domain_template',` 842 | gen_require(` 843 | attribute container_runtime_domain; 844 | type container_runtime_t; 845 | type container_var_lib_t; 846 | type container_ro_file_t; 847 | role system_r, sysadm_r; 848 | ') 849 | 850 | type $1_t, container_runtime_domain; 851 | role system_r types $1_t; 852 | role sysadm_r types $1_t; 853 | domain_type($1_t) 854 | domain_subj_id_change_exemption($1_t) 855 | domain_role_change_exemption($1_t) 856 | 857 | kernel_read_system_state($1_t) 858 | kernel_read_all_proc($1_t) 859 | 860 | mls_file_read_to_clearance($1_t) 861 | mls_file_write_to_clearance($1_t) 862 | 863 | storage_raw_rw_fixed_disk($1_t) 864 | auth_use_nsswitch($1_t) 865 | logging_send_syslog_msg($1_t) 866 | ') 867 | 868 | ######################################## 869 | ## 870 | ## Creates types and rules for a basic 871 | ## container process domain. 872 | ## 873 | ## 874 | ## 875 | ## Prefix for the domain. 876 | ## 877 | ## 878 | ## 879 | ## 880 | ## Prefix for the file type. 881 | ## 882 | ## 883 | # 884 | template(`container_domain_template',` 885 | gen_require(` 886 | attribute container_domain; 887 | type container_runtime_t; 888 | type container_var_lib_t; 889 | type container_ro_file_t; 890 | ') 891 | 892 | type $1_t, container_domain; 893 | domain_type($1_t) 894 | domain_user_exemption_target($1_t) 895 | allow $1_t $2_file_t:file entrypoint; 896 | 897 | container_manage_files_template($1, $2) 898 | ') 899 | 900 | 901 | ######################################## 902 | ## 903 | ## Manage container files template 904 | ## 905 | ## 906 | ## 907 | ## Prefix for the domain. 908 | ## 909 | ## 910 | ## 911 | ## 912 | ## Prefix for the file type. 913 | ## 914 | ## 915 | # 916 | template(`container_manage_files_template',` 917 | gen_require(` 918 | attribute container_domain; 919 | type container_runtime_t; 920 | type container_var_lib_t; 921 | type container_ro_file_t; 922 | ') 923 | 924 | 925 | mls_rangetrans_target($1_t) 926 | mcs_constrained($1_t) 927 | role system_r types $1_t; 928 | 929 | kernel_read_all_proc($1_t) 930 | 931 | allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map }; 932 | 933 | manage_files_pattern($1_t, $2_file_t, $2_file_t) 934 | exec_files_pattern($1_t, $2_file_t, $2_file_t) 935 | manage_lnk_files_pattern($1_t, $2_file_t, $2_file_t) 936 | manage_dirs_pattern($1_t, $2_file_t, $2_file_t) 937 | manage_chr_files_pattern($1_t, $2_file_t, $2_file_t) 938 | allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads }; 939 | manage_blk_files_pattern($1_t, $2_file_t, $2_file_t) 940 | manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t) 941 | manage_sock_files_pattern($1_t, $2_file_t, $2_file_t) 942 | allow $1_t $2_file_t:{file dir} mounton; 943 | allow $1_t $2_file_t:filesystem { mount remount unmount }; 944 | allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map }; 945 | 946 | fs_tmpfs_filetrans($1_t, $2_file_t, { dir file lnk_file }) 947 | ') 948 | 949 | ######################################## 950 | ## 951 | ## Read and write a spc_t unnamed pipe. 952 | ## 953 | ## 954 | ## 955 | ## Domain allowed access. 956 | ## 957 | ## 958 | # 959 | interface(`container_spc_rw_pipes',` 960 | gen_require(` 961 | type spc_t; 962 | ') 963 | 964 | allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms; 965 | ') 966 | 967 | ######################################## 968 | ## 969 | ## Execute container in the container domain. 970 | ## 971 | ## 972 | ## 973 | ## Domain allowed to transition. 974 | ## 975 | ## 976 | # 977 | interface(`container_kubelet_domtrans',` 978 | gen_require(` 979 | type kubelet_t, kubelet_exec_t; 980 | ') 981 | 982 | corecmd_search_bin($1) 983 | domtrans_pattern($1, kubelet_exec_t, kubelet_t) 984 | ') 985 | 986 | ######################################## 987 | ## 988 | ## Execute kubelet_exec_t in the kubelet_t domain 989 | ## 990 | ## 991 | ## 992 | ## Domain allowed to transition. 993 | ## 994 | ## 995 | ## 996 | ## 997 | ## Role allowed access. 998 | ## 999 | ## 1000 | ## 1001 | # 1002 | interface(`container_kubelet_run',` 1003 | gen_require(` 1004 | type kubelet_t; 1005 | ') 1006 | 1007 | container_kubelet_domtrans($1) 1008 | role $2 types kubelet_t; 1009 | ') 1010 | 1011 | ######################################## 1012 | ## 1013 | ## Connect to kubelet over a unix stream socket. 1014 | ## 1015 | ## 1016 | ## 1017 | ## Domain allowed access. 1018 | ## 1019 | ## 1020 | # 1021 | interface(`container_kubelet_stream_connect',` 1022 | gen_require(` 1023 | type kubelet_t, container_var_run_t; 1024 | ') 1025 | 1026 | files_search_pids($1) 1027 | stream_connect_pattern($1, container_var_run_t, container_var_run_t, kubelet_t) 1028 | ') 1029 | 1030 | ####################################### 1031 | ## 1032 | ## Create a file type used for container files. 1033 | ## 1034 | ## 1035 | ## 1036 | ## Type to be used for an container file. 1037 | ## 1038 | ## 1039 | # 1040 | interface(`container_file',` 1041 | gen_require(` 1042 | attribute container_file_type; 1043 | ') 1044 | 1045 | typeattribute $1 container_file_type; 1046 | files_type($1) 1047 | files_mountpoint($1) 1048 | ') 1049 | -------------------------------------------------------------------------------- /container.te: -------------------------------------------------------------------------------- 1 | policy_module(container, 2.238.0) 2 | 3 | gen_require(` 4 | class passwd rootok; 5 | type system_conf_t; 6 | ') 7 | 8 | ######################################## 9 | # 10 | # Declarations 11 | # 12 | 13 | ## 14 | ##

15 | ## Determine whether container can 16 | ## connect to all TCP ports. 17 | ##

18 | ##
19 | gen_tunable(container_connect_any, false) 20 | 21 | ## 22 | ##

23 | ## Allow all container domains to read cert files and directories 24 | ##

25 | ##
26 | gen_tunable(container_read_certs, false) 27 | 28 | ## 29 | ##

30 | ## Determine whether sshd can launch container engines 31 | ##

32 | ##
33 | gen_tunable(sshd_launch_containers, false) 34 | 35 | ## 36 | ##

37 | ## Allow containers to use any device volume mounted into container 38 | ##

39 | ##
40 | gen_tunable(container_use_devices, false) 41 | 42 | ## 43 | ##

44 | ## Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration 45 | ##

46 | ##
47 | gen_tunable(container_use_xserver_devices, false) 48 | 49 | ## 50 | ##

51 | ## Allow containers to use any dri device volume mounted into container 52 | ##

53 | ##
54 | gen_tunable(container_use_dri_devices, true) 55 | 56 | ## 57 | ##

58 | ## Allow sandbox containers to manage cgroup (systemd) 59 | ##

60 | ##
61 | gen_tunable(container_manage_cgroup, false) 62 | 63 | ## 64 | ##

65 | ## Determine whether container can 66 | ## use ceph file system 67 | ##

68 | ##
69 | gen_tunable(container_use_cephfs, false) 70 | 71 | ## 72 | ##

73 | ## Determine whether container can 74 | ## use ecrypt file system 75 | ##

76 | ##
77 | gen_tunable(container_use_ecryptfs, false) 78 | 79 | attribute container_runtime_domain; 80 | container_runtime_domain_template(container_runtime) 81 | typealias container_runtime_t alias docker_t; 82 | 83 | type container_runtime_exec_t alias docker_exec_t; 84 | can_exec(container_runtime_t,container_runtime_exec_t) 85 | attribute container_domain; 86 | attribute container_user_domain; 87 | attribute container_net_domain; 88 | attribute container_init_domain; 89 | attribute container_file_type; 90 | allow container_runtime_domain container_domain:process { dyntransition transition }; 91 | allow container_domain container_runtime_domain:process sigchld; 92 | allow container_runtime_domain container_domain:process2 { nnp_transition nosuid_transition }; 93 | dontaudit container_runtime_domain container_domain:process { noatsecure rlimitinh siginh }; 94 | 95 | type conmon_exec_t; 96 | application_executable_file(conmon_exec_t) 97 | can_exec(container_runtime_t, conmon_exec_t) 98 | allow container_runtime_domain conmon_exec_t:file entrypoint; 99 | ifdef(`enable_mcs',` 100 | range_transition container_runtime_t conmon_exec_t:process s0; 101 | ') 102 | ifdef(`enable_mls',` 103 | range_transition container_runtime_t conmon_exec_t:process s0; 104 | ') 105 | 106 | type spc_t; 107 | domain_type(spc_t) 108 | role system_r types spc_t; 109 | 110 | type container_auth_t alias docker_auth_t; 111 | type container_auth_exec_t alias docker_auth_exec_t; 112 | init_daemon_domain(container_auth_t, container_auth_exec_t) 113 | 114 | type spc_var_run_t; 115 | files_pid_file(spc_var_run_t) 116 | 117 | type kubernetes_file_t; 118 | files_config_file(kubernetes_file_t) 119 | 120 | type container_var_lib_t alias docker_var_lib_t; 121 | files_type(container_var_lib_t) 122 | 123 | type container_home_t alias docker_home_t; 124 | userdom_user_home_content(container_home_t) 125 | 126 | type container_config_t alias docker_config_t; 127 | files_config_file(container_config_t) 128 | 129 | type container_lock_t alias docker_lock_t; 130 | files_lock_file(container_lock_t) 131 | 132 | type container_log_t alias docker_log_t; 133 | logging_log_file(container_log_t) 134 | 135 | type container_runtime_tmp_t alias docker_tmp_t; 136 | files_tmp_file(container_runtime_tmp_t) 137 | 138 | type container_runtime_tmpfs_t alias docker_tmpfs_t; 139 | files_tmpfs_file(container_runtime_tmpfs_t) 140 | 141 | type container_var_run_t alias docker_var_run_t; 142 | files_pid_file(container_var_run_t) 143 | 144 | type container_plugin_var_run_t alias docker_plugin_var_run_t; 145 | files_pid_file(container_plugin_var_run_t) 146 | 147 | type container_unit_file_t alias docker_unit_file_t; 148 | systemd_unit_file(container_unit_file_t) 149 | 150 | type container_devpts_t alias docker_devpts_t; 151 | term_pty(container_devpts_t) 152 | 153 | typealias container_ro_file_t alias { container_share_t docker_share_t }; 154 | typeattribute container_ro_file_t container_file_type, user_home_type; 155 | files_mountpoint(container_ro_file_t) 156 | userdom_user_home_content(container_ro_file_t) 157 | 158 | type container_port_t alias docker_port_t; 159 | corenet_port(container_port_t) 160 | 161 | init_daemon_domain(container_runtime_t, container_runtime_exec_t) 162 | #ifdef(`enable_mcs',` 163 | # init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mcs_systemhigh) 164 | #') 165 | 166 | ifdef(`enable_mls',` 167 | init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh) 168 | ') 169 | mls_trusted_object(container_runtime_t) 170 | 171 | 172 | ######################################## 173 | # 174 | # container local policy 175 | # 176 | allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; 177 | allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; 178 | allow container_runtime_domain self:process ~setcurrent; 179 | allow container_runtime_domain self:passwd rootok; 180 | allow container_runtime_domain self:fd use; 181 | allow container_runtime_domain self:dir mounton; 182 | allow container_runtime_domain self:file mounton; 183 | 184 | allow container_runtime_domain self:fifo_file rw_fifo_file_perms; 185 | allow container_runtime_domain self:fifo_file manage_file_perms; 186 | allow container_runtime_domain self:msg all_msg_perms; 187 | allow container_runtime_domain self:sem create_sem_perms; 188 | allow container_runtime_domain self:shm create_shm_perms; 189 | allow container_runtime_domain self:msgq create_msgq_perms; 190 | allow container_runtime_domain self:unix_stream_socket create_stream_socket_perms; 191 | allow container_runtime_domain self:tcp_socket create_stream_socket_perms; 192 | allow container_runtime_domain self:udp_socket create_socket_perms; 193 | allow container_runtime_domain self:capability2 block_suspend; 194 | allow container_runtime_domain container_port_t:tcp_socket name_bind; 195 | allow container_runtime_domain port_t:icmp_socket name_bind; 196 | allow container_runtime_domain self:filesystem associate; 197 | allow container_runtime_domain self:packet_socket create_socket_perms; 198 | allow container_runtime_domain self:socket create_socket_perms; 199 | allow container_runtime_domain self:rawip_socket create_stream_socket_perms; 200 | allow container_runtime_domain self:netlink_netfilter_socket create_socket_perms; 201 | allow container_runtime_domain self:netlink_kobject_uevent_socket create_socket_perms; 202 | allow container_runtime_domain self:netlink_tcpdiag_socket create_netlink_socket_perms; 203 | allow container_runtime_domain self:netlink_socket create_socket_perms; 204 | 205 | corenet_tcp_bind_generic_node(container_runtime_domain) 206 | corenet_udp_bind_generic_node(container_runtime_domain) 207 | corenet_raw_bind_generic_node(container_runtime_domain) 208 | corenet_tcp_sendrecv_all_ports(container_runtime_domain) 209 | corenet_udp_sendrecv_all_ports(container_runtime_domain) 210 | corenet_udp_bind_all_ports(container_runtime_domain) 211 | corenet_tcp_bind_all_ports(container_runtime_domain) 212 | corenet_tcp_connect_all_ports(container_runtime_domain) 213 | corenet_sctp_bind_all_ports(container_net_domain) 214 | corenet_sctp_connect_all_ports(container_net_domain) 215 | corenet_rw_tun_tap_dev(container_runtime_domain) 216 | 217 | container_auth_stream_connect(container_runtime_domain) 218 | 219 | manage_files_pattern(container_runtime_domain, container_file_type, container_file_type) 220 | manage_lnk_files_pattern(container_runtime_domain, container_file_type, container_file_type) 221 | manage_blk_files_pattern(container_runtime_domain, container_file_type, container_file_type) 222 | allow container_runtime_domain container_domain:key manage_key_perms; 223 | manage_sock_files_pattern(container_runtime_domain, container_file_type, container_file_type) 224 | allow container_runtime_domain container_file_type:dir_file_class_set {relabelfrom relabelto execmod}; 225 | allow container_runtime_domain container_file_type:dir_file_class_set mmap_file_perms; 226 | 227 | manage_files_pattern(container_runtime_domain, container_home_t, container_home_t) 228 | manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t) 229 | manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t) 230 | userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container") 231 | userdom_manage_user_home_content(container_runtime_domain) 232 | userdom_map_user_home_files(container_runtime_t) 233 | 234 | manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t) 235 | manage_files_pattern(container_runtime_domain, container_config_t, container_config_t) 236 | files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers") 237 | 238 | manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t) 239 | manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t) 240 | files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc") 241 | files_manage_generic_locks(container_runtime_domain) 242 | 243 | manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t) 244 | manage_files_pattern(container_runtime_domain, container_log_t, container_log_t) 245 | manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t) 246 | 247 | logging_read_syslog_pid(container_runtime_domain) 248 | logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file }) 249 | 250 | allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto }; 251 | filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log") 252 | allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint; 253 | 254 | manage_dirs_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) 255 | manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) 256 | manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) 257 | manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) 258 | 259 | manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 260 | manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 261 | manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 262 | manage_fifo_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 263 | manage_chr_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 264 | manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) 265 | allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom; 266 | can_exec(container_runtime_domain, container_runtime_tmpfs_t) 267 | fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, dir_file_class_set) 268 | allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton; 269 | 270 | manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 271 | manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 272 | manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 273 | manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 274 | manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 275 | manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 276 | allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto }; 277 | can_exec(container_runtime_domain, container_ro_file_t) 278 | 279 | manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 280 | manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 281 | manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 282 | manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 283 | manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 284 | manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 285 | 286 | manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 287 | manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 288 | manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 289 | manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 290 | manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) 291 | 292 | filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init") 293 | filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay") 294 | filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2") 295 | filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "config.env") 296 | filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hostname") 297 | filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hosts") 298 | 299 | #container_filetrans_named_content(container_runtime_domain) 300 | 301 | manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 302 | manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 303 | manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 304 | manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 305 | manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 306 | manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) 307 | allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto }; 308 | files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file }) 309 | files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers") 310 | 311 | manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) 312 | manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) 313 | manage_fifo_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) 314 | manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) 315 | manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) 316 | files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) 317 | files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) 318 | allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom; 319 | 320 | allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; 321 | term_create_pty(container_runtime_domain, container_devpts_t) 322 | term_use_all_ttys(container_runtime_domain) 323 | term_use_all_inherited_terms(container_runtime_domain) 324 | 325 | mls_file_read_to_clearance(container_runtime_t) 326 | mls_file_relabel_to_clearance(container_runtime_t) 327 | mls_file_write_to_clearance(container_runtime_t) 328 | mls_process_read_to_clearance(container_runtime_t) 329 | mls_process_write_to_clearance(container_runtime_t) 330 | mls_socket_read_to_clearance(container_runtime_t) 331 | mls_socket_write_to_clearance(container_runtime_t) 332 | mls_sysvipc_read_to_clearance(container_runtime_t) 333 | mls_sysvipc_write_to_clearance(container_runtime_t) 334 | 335 | kernel_read_network_state(container_runtime_domain) 336 | kernel_read_all_sysctls(container_runtime_domain) 337 | kernel_rw_net_sysctls(container_runtime_domain) 338 | kernel_setsched(container_runtime_domain) 339 | kernel_rw_all_sysctls(container_runtime_domain) 340 | kernel_mounton_all_proc(container_runtime_domain) 341 | fs_getattr_all_fs(container_runtime_domain) 342 | 343 | domain_obj_id_change_exemption(container_runtime_t) 344 | domain_subj_id_change_exemption(container_runtime_t) 345 | domain_role_change_exemption(container_runtime_t) 346 | domain_use_interactive_fds(container_runtime_domain) 347 | domain_dontaudit_read_all_domains_state(container_runtime_domain) 348 | domain_sigchld_all_domains(container_runtime_domain) 349 | domain_use_interactive_fds(container_runtime_domain) 350 | domain_read_all_domains_state(container_runtime_domain) 351 | domain_getattr_all_domains(container_runtime_domain) 352 | 353 | userdom_map_tmp_files(container_runtime_domain) 354 | 355 | anaconda_domtrans_install(container_runtime_domain) 356 | 357 | optional_policy(` 358 | gnome_map_generic_data_home_files(container_runtime_domain) 359 | allow container_runtime_domain data_home_t:dir { relabelfrom relabelto }; 360 | ') 361 | 362 | gen_require(` 363 | attribute domain; 364 | ') 365 | 366 | allow container_runtime_domain domain:fifo_file rw_fifo_file_perms; 367 | allow container_runtime_domain domain:fd use; 368 | 369 | corecmd_exec_bin(container_runtime_domain) 370 | corecmd_exec_shell(container_runtime_domain) 371 | corecmd_exec_all_executables(container_runtime_domain) 372 | corecmd_bin_entry_type(container_runtime_domain) 373 | corecmd_shell_entry_type(container_runtime_domain) 374 | 375 | corenet_tcp_bind_generic_node(container_runtime_domain) 376 | corenet_tcp_sendrecv_generic_if(container_runtime_domain) 377 | corenet_tcp_sendrecv_generic_node(container_runtime_domain) 378 | corenet_tcp_sendrecv_generic_port(container_runtime_domain) 379 | corenet_tcp_bind_all_ports(container_runtime_domain) 380 | corenet_tcp_connect_http_port(container_runtime_domain) 381 | corenet_tcp_connect_commplex_main_port(container_runtime_domain) 382 | corenet_udp_sendrecv_generic_if(container_runtime_domain) 383 | corenet_udp_sendrecv_generic_node(container_runtime_domain) 384 | corenet_udp_sendrecv_all_ports(container_runtime_domain) 385 | corenet_udp_bind_generic_node(container_runtime_domain) 386 | corenet_udp_bind_all_ports(container_runtime_domain) 387 | 388 | files_read_kernel_modules(container_runtime_domain) 389 | files_read_config_files(container_runtime_domain) 390 | files_dontaudit_getattr_all_dirs(container_runtime_domain) 391 | files_dontaudit_getattr_all_files(container_runtime_domain) 392 | files_execmod_all_files(container_runtime_domain) 393 | files_search_all(container_runtime_domain) 394 | files_read_usr_symlinks(container_runtime_domain) 395 | files_search_locks(container_runtime_domain) 396 | files_dontaudit_unmount_all_mountpoints(container_runtime_domain) 397 | 398 | fs_read_cgroup_files(container_runtime_domain) 399 | fs_read_tmpfs_symlinks(container_runtime_domain) 400 | fs_search_all(container_runtime_domain) 401 | fs_getattr_all_fs(container_runtime_domain) 402 | fs_rw_onload_sockets(container_runtime_domain) 403 | 404 | auth_dontaudit_getattr_shadow(container_runtime_domain) 405 | 406 | init_read_state(container_runtime_domain) 407 | init_status(container_runtime_domain) 408 | init_stop(container_runtime_domain) 409 | init_start(container_runtime_domain) 410 | init_manage_config_transient_files(container_runtime_domain) 411 | 412 | logging_send_audit_msgs(container_runtime_domain) 413 | 414 | miscfiles_read_localization(container_runtime_domain) 415 | miscfiles_dontaudit_access_check_cert(container_runtime_domain) 416 | miscfiles_dontaudit_setattr_fonts_cache_dirs(container_runtime_domain) 417 | miscfiles_read_fonts(container_runtime_domain) 418 | miscfiles_read_hwdata(container_runtime_domain) 419 | fs_relabel_cgroup_dirs(container_runtime_domain) 420 | # fs_relabel_cgroup_files(container_runtime_domain) 421 | allow container_runtime_domain container_domain:file relabelfrom; 422 | 423 | mount_domtrans(container_runtime_domain) 424 | 425 | seutil_read_default_contexts(container_runtime_domain) 426 | seutil_read_config(container_runtime_domain) 427 | 428 | sysnet_dns_name_resolve(container_runtime_domain) 429 | sysnet_exec_ifconfig(container_runtime_domain) 430 | 431 | optional_policy(` 432 | cron_system_entry(container_runtime_t, container_runtime_exec_t) 433 | ') 434 | 435 | optional_policy(` 436 | ssh_use_ptys(container_runtime_domain) 437 | ') 438 | 439 | optional_policy(` 440 | rpm_exec(container_runtime_domain) 441 | rpm_read_cache(container_runtime_domain) 442 | rpm_read_db(container_runtime_domain) 443 | rpm_exec(container_runtime_domain) 444 | ') 445 | 446 | optional_policy(` 447 | fstools_domtrans(container_runtime_domain) 448 | ') 449 | 450 | optional_policy(` 451 | gen_require(` 452 | role unconfined_r; 453 | ') 454 | iptables_run(container_runtime_domain, unconfined_r) 455 | 456 | container_read_pid_files(iptables_t) 457 | container_read_state(iptables_t) 458 | container_append_file(iptables_t) 459 | allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms; 460 | allow iptables_t container_file_type:dir list_dir_perms; 461 | ') 462 | 463 | optional_policy(` 464 | openvswitch_stream_connect(container_runtime_domain) 465 | ') 466 | 467 | optional_policy(` 468 | gen_require(` 469 | attribute named_filetrans_domain; 470 | ') 471 | container_filetrans_named_content(named_filetrans_domain) 472 | ') 473 | 474 | # 475 | # lxc rules 476 | # 477 | 478 | allow container_runtime_domain self:capability ~{ sys_module }; 479 | allow container_runtime_domain self:capability2 ~{ mac_override mac_admin }; 480 | allow container_runtime_domain self:cap_userns ~{ sys_module }; 481 | allow container_runtime_domain self:cap2_userns ~{ mac_override mac_admin }; 482 | 483 | allow container_runtime_domain self:process { getcap setcap setexec setpgid setsched signal_perms }; 484 | 485 | allow container_runtime_domain self:netlink_route_socket rw_netlink_socket_perms;; 486 | allow container_runtime_domain self:netlink_xfrm_socket create_netlink_socket_perms; 487 | allow container_runtime_domain self:netlink_audit_socket create_netlink_socket_perms; 488 | allow container_runtime_domain self:unix_dgram_socket { create_socket_perms sendto }; 489 | allow container_runtime_domain self:unix_stream_socket { create_stream_socket_perms connectto }; 490 | 491 | allow container_runtime_domain container_var_lib_t:dir mounton; 492 | allow container_runtime_domain container_var_lib_t:chr_file mounton; 493 | can_exec(container_runtime_domain, container_var_lib_t) 494 | 495 | kernel_dontaudit_setsched(container_runtime_domain) 496 | kernel_get_sysvipc_info(container_runtime_domain) 497 | kernel_request_load_module(container_runtime_domain) 498 | kernel_mounton_messages(container_runtime_domain) 499 | kernel_mounton_all_proc(container_runtime_domain) 500 | kernel_mounton_all_sysctls(container_runtime_domain) 501 | kernel_list_all_proc(container_runtime_domain) 502 | kernel_read_all_sysctls(container_runtime_domain) 503 | kernel_rw_net_sysctls(container_runtime_domain) 504 | kernel_rw_unix_sysctls(container_runtime_domain) 505 | kernel_dontaudit_search_kernel_sysctl(container_runtime_domain) 506 | kernel_dontaudit_access_check_proc(container_runtime_domain) 507 | kernel_dontaudit_setattr_proc_files(container_runtime_domain) 508 | kernel_dontaudit_setattr_proc_dirs(container_runtime_domain) 509 | kernel_dontaudit_write_usermodehelper_state(container_runtime_domain) 510 | 511 | dev_setattr_null_dev(container_runtime_t) 512 | dev_getattr_all(container_runtime_domain) 513 | dev_getattr_sysfs_fs(container_runtime_domain) 514 | dev_read_rand(container_runtime_domain) 515 | dev_read_urand(container_runtime_domain) 516 | dev_read_lvm_control(container_runtime_domain) 517 | dev_rw_sysfs(container_runtime_domain) 518 | dev_rw_loop_control(container_runtime_domain) 519 | dev_rw_lvm_control(container_runtime_domain) 520 | dev_read_mtrr(container_runtime_domain) 521 | 522 | userdom_map_user_home_files(container_runtime_t) 523 | 524 | files_getattr_isid_type_dirs(container_runtime_domain) 525 | files_manage_isid_type_dirs(container_runtime_domain) 526 | files_manage_isid_type_files(container_runtime_domain) 527 | files_manage_isid_type_symlinks(container_runtime_domain) 528 | files_manage_isid_type_chr_files(container_runtime_domain) 529 | files_manage_isid_type_blk_files(container_runtime_domain) 530 | files_manage_etc_dirs(container_runtime_domain) 531 | files_manage_etc_files(container_runtime_domain) 532 | files_exec_isid_files(container_runtime_domain) 533 | files_mounton_isid(container_runtime_domain) 534 | files_mounton_non_security(container_runtime_domain) 535 | files_mounton_isid_type_chr_file(container_runtime_domain) 536 | 537 | files_mounton_isid(container_runtime_domain) 538 | fs_getattr_all_fs(container_runtime_domain) 539 | fs_list_hugetlbfs(container_runtime_domain) 540 | fs_manage_cgroup_dirs(container_runtime_domain) 541 | fs_manage_cgroup_files(container_runtime_domain) 542 | fs_manage_hugetlbfs_files(container_runtime_domain) 543 | fs_mount_all_fs(container_runtime_domain) 544 | fs_read_tmpfs_symlinks(container_runtime_domain) 545 | fs_read_tmpfs_symlinks(container_runtime_domain) 546 | fs_relabelfrom_tmpfs(container_runtime_domain) 547 | fs_relabelfrom_xattr_fs(container_runtime_domain) 548 | fs_remount_all_fs(container_runtime_domain) 549 | fs_rw_inherited_tmpfs_files(container_runtime_domain) 550 | fs_rw_nsfs_files(container_runtime_domain) 551 | fs_search_tmpfs(container_runtime_domain) 552 | fs_set_xattr_fs_quotas(container_runtime_domain) 553 | fs_unmount_all_fs(container_runtime_domain) 554 | 555 | 556 | term_use_generic_ptys(container_runtime_domain) 557 | term_use_ptmx(container_runtime_domain) 558 | term_getattr_pty_fs(container_runtime_domain) 559 | term_relabel_pty_fs(container_runtime_domain) 560 | term_mounton_unallocated_ttys(container_runtime_domain) 561 | 562 | modutils_domtrans_kmod(container_runtime_domain) 563 | 564 | systemd_status_all_unit_files(container_runtime_domain) 565 | systemd_start_systemd_services(container_runtime_domain) 566 | systemd_dbus_chat_logind(container_runtime_domain) 567 | systemd_chat_resolved(container_runtime_domain) 568 | 569 | userdom_stream_connect(container_runtime_domain) 570 | userdom_search_user_home_content(container_runtime_domain) 571 | userdom_read_all_users_state(container_runtime_domain) 572 | userdom_relabel_user_home_files(container_runtime_domain) 573 | userdom_relabel_user_tmp_files(container_runtime_domain) 574 | userdom_relabel_user_tmp_dirs(container_runtime_domain) 575 | userdom_use_inherited_user_terminals(container_runtime_domain) 576 | userdom_use_user_ptys(container_runtime_domain) 577 | userdom_connectto_stream(container_runtime_domain) 578 | allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt }; 579 | 580 | tunable_policy(`virt_use_nfs',` 581 | fs_manage_nfs_dirs(container_runtime_domain) 582 | fs_manage_nfs_files(container_runtime_domain) 583 | fs_manage_nfs_named_sockets(container_runtime_domain) 584 | fs_manage_nfs_symlinks(container_runtime_domain) 585 | fs_remount_nfs(container_runtime_domain) 586 | fs_mount_nfs(container_runtime_domain) 587 | fs_exec_nfs_files(container_runtime_domain) 588 | kernel_rw_fs_sysctls(container_runtime_domain) 589 | allow container_runtime_domain nfs_t:file execmod; 590 | ') 591 | 592 | tunable_policy(`virt_use_samba',` 593 | fs_manage_cifs_files(container_runtime_domain) 594 | fs_manage_cifs_dirs(container_runtime_domain) 595 | fs_manage_cifs_named_sockets(container_runtime_domain) 596 | fs_manage_cifs_symlinks(container_runtime_domain) 597 | fs_exec_cifs_files(container_runtime_domain) 598 | allow container_runtime_domain cifs_t:file execmod; 599 | 600 | fs_manage_cifs_files(container_domain) 601 | fs_manage_cifs_dirs(container_domain) 602 | fs_manage_cifs_named_sockets(container_domain) 603 | fs_manage_cifs_symlinks(container_domain) 604 | fs_exec_cifs_files(container_domain) 605 | allow container_domain cifs_t:file execmod; 606 | ') 607 | 608 | tunable_policy(`virt_use_nfs',` 609 | fs_manage_nfs_dirs(container_domain) 610 | fs_manage_nfs_files(container_domain) 611 | fs_manage_nfs_named_sockets(container_domain) 612 | fs_manage_nfs_symlinks(container_domain) 613 | fs_mount_nfs(container_domain) 614 | fs_unmount_nfs(container_domain) 615 | fs_exec_nfs_files(container_domain) 616 | allow container_domain nfs_t:file execmod; 617 | ') 618 | 619 | gen_require(` 620 | type cephfs_t; 621 | ') 622 | 623 | tunable_policy(`container_use_cephfs',` 624 | manage_files_pattern(container_domain, cephfs_t, cephfs_t) 625 | manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t) 626 | manage_dirs_pattern(container_domain, cephfs_t, cephfs_t) 627 | exec_files_pattern(container_domain, cephfs_t, cephfs_t) 628 | allow container_domain cephfs_t:file execmod; 629 | ') 630 | 631 | tunable_policy(`container_read_certs',` 632 | miscfiles_read_all_certs(container_domain) 633 | ') 634 | 635 | gen_require(` 636 | type ecryptfs_t; 637 | ') 638 | 639 | tunable_policy(`container_use_ecryptfs',` 640 | manage_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) 641 | manage_lnk_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) 642 | manage_dirs_pattern(container_domain, ecryptfs_t, ecryptfs_t) 643 | exec_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) 644 | allow container_domain ecryptfs_t:file execmod; 645 | ') 646 | 647 | fs_manage_fusefs_named_sockets(container_runtime_domain) 648 | fs_manage_fusefs_dirs(container_runtime_domain) 649 | fs_manage_fusefs_files(container_runtime_domain) 650 | fs_manage_fusefs_symlinks(container_runtime_domain) 651 | fs_mount_fusefs(container_runtime_domain) 652 | fs_exec_fusefs_files(container_runtime_domain) 653 | storage_rw_fuse(container_runtime_domain) 654 | 655 | files_search_all(container_domain) 656 | container_read_share_files(container_domain) 657 | container_exec_share_files(container_domain) 658 | allow container_domain container_ro_file_t:file execmod; 659 | container_lib_filetrans(container_domain,container_file_t, sock_file) 660 | container_use_ptys(container_domain) 661 | container_spc_stream_connect(container_domain) 662 | 663 | optional_policy(` 664 | apache_exec_modules(container_runtime_domain) 665 | apache_read_sys_content(container_runtime_domain) 666 | ') 667 | 668 | optional_policy(` 669 | gpm_getattr_gpmctl(container_runtime_domain) 670 | ') 671 | 672 | optional_policy(` 673 | dbus_system_bus_client(container_runtime_domain) 674 | dbus_session_bus_client(container_runtime_domain) 675 | init_dbus_chat(container_runtime_domain) 676 | init_start_transient_unit(container_runtime_domain) 677 | 678 | optional_policy(` 679 | systemd_dbus_chat_logind(container_runtime_domain) 680 | systemd_dbus_chat_machined(container_runtime_domain) 681 | ') 682 | 683 | optional_policy(` 684 | dnsmasq_dbus_chat(container_runtime_domain) 685 | ') 686 | 687 | optional_policy(` 688 | firewalld_dbus_chat(container_runtime_domain) 689 | ') 690 | ') 691 | 692 | optional_policy(` 693 | lvm_domtrans(container_runtime_domain) 694 | ') 695 | 696 | optional_policy(` 697 | gen_require(` 698 | type systemd_logind_t; 699 | ') 700 | 701 | domtrans_pattern(systemd_logind_t, container_runtime_exec_t , container_runtime_t) 702 | container_manage_dirs(systemd_logind_t) 703 | container_manage_files(systemd_logind_t) 704 | ') 705 | 706 | optional_policy(` 707 | udev_read_db(container_runtime_domain) 708 | ') 709 | 710 | optional_policy(` 711 | gen_require(` 712 | role unconfined_r; 713 | ') 714 | role unconfined_r types container_user_domain; 715 | role unconfined_r types spc_t; 716 | unconfined_domain(container_runtime_t) 717 | unconfined_run_to(container_runtime_t, container_runtime_exec_t) 718 | allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map }; 719 | allow container_runtime_domain unconfined_t:fifo_file setattr; 720 | allow unconfined_domain_type container_domain:process {transition dyntransition}; 721 | allow unconfined_t unlabeled_t:key manage_key_perms; 722 | allow container_runtime_t unconfined_t:process transition; 723 | allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint; 724 | fs_fusefs_entrypoint(unconfined_domain_type) 725 | 726 | domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t) 727 | ') 728 | 729 | optional_policy(` 730 | gen_require(` 731 | type virtd_lxc_t; 732 | ') 733 | virt_read_config(container_runtime_domain) 734 | virt_exec(container_runtime_domain) 735 | virt_stream_connect(container_runtime_domain) 736 | virt_stream_connect_sandbox(container_runtime_domain) 737 | virt_exec_sandbox_files(container_runtime_domain) 738 | virt_manage_sandbox_files(container_runtime_domain) 739 | virt_relabel_sandbox_filesystem(container_runtime_domain) 740 | # for lxc 741 | virt_mounton_sandbox_file(container_runtime_domain) 742 | # virt_attach_sandbox_tun_iface(container_runtime_domain) 743 | allow container_runtime_domain container_domain:tun_socket relabelfrom; 744 | virt_sandbox_entrypoint(container_runtime_domain) 745 | allow container_runtime_domain virtd_lxc_t:unix_stream_socket { rw_stream_socket_perms connectto }; 746 | 747 | ') 748 | 749 | tunable_policy(`container_connect_any',` 750 | corenet_tcp_connect_all_ports(container_runtime_domain) 751 | corenet_sendrecv_all_packets(container_runtime_domain) 752 | corenet_tcp_sendrecv_all_ports(container_runtime_domain) 753 | ') 754 | 755 | ######################################## 756 | # 757 | # spc local policy 758 | # 759 | allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; 760 | role system_r types spc_t; 761 | dontaudit spc_t self:memprotect mmap_zero; 762 | 763 | domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) 764 | domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) 765 | domtrans_pattern(container_runtime_domain, fusefs_t, spc_t) 766 | fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file }) 767 | 768 | allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition }; 769 | allow spc_t container_file_type:file execmod; 770 | 771 | admin_pattern(spc_t, kubernetes_file_t) 772 | 773 | allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms; 774 | allow spc_t { container_ro_file_t container_file_t }:system module_load; 775 | 776 | allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms }; 777 | ps_process_pattern(container_runtime_domain, spc_t) 778 | allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom }; 779 | allow spc_t unlabeled_t:key manage_key_perms; 780 | allow spc_t unlabeled_t:socket_class_set create_socket_perms; 781 | fs_fusefs_entrypoint(spc_t) 782 | corecmd_entrypoint_all_executables(spc_t) 783 | 784 | init_dbus_chat(spc_t) 785 | 786 | optional_policy(` 787 | systemd_dbus_chat_machined(spc_t) 788 | systemd_dbus_chat_logind(spc_t) 789 | systemd_dbus_chat_timedated(spc_t) 790 | systemd_dbus_chat_localed(spc_t) 791 | ') 792 | 793 | domain_transition_all(spc_t) 794 | 795 | anaconda_domtrans_install(spc_t) 796 | 797 | optional_policy(` 798 | dbus_chat_system_bus(spc_t) 799 | dbus_chat_session_bus(spc_t) 800 | dnsmasq_dbus_chat(spc_t) 801 | ') 802 | 803 | optional_policy(` 804 | unconfined_domain_noaudit(spc_t) 805 | domain_ptrace_all_domains(spc_t) 806 | # This should eventually be in upstream policy. 807 | # https://github.com/fedora-selinux/selinux-policy/pull/806 808 | allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run }; 809 | allow daemon spc_t:dbus send_msg; 810 | ') 811 | 812 | optional_policy(` 813 | rtkit_scheduled(spc_t) 814 | ') 815 | 816 | optional_policy(` 817 | virt_transition_svirt_sandbox(spc_t, system_r) 818 | virt_sandbox_entrypoint(spc_t) 819 | virt_sandbox_domtrans(container_runtime_domain, spc_t) 820 | virt_transition_svirt(spc_t, system_r) 821 | virt_sandbox_entrypoint(container_file_t) 822 | virt_sandbox_entrypoint(container_ro_file_t) 823 | 824 | gen_require(` 825 | attribute virt_domain; 826 | type virtd_t; 827 | role unconfined_r; 828 | ') 829 | role unconfined_r types virt_domain; 830 | role unconfined_r types virtd_t; 831 | container_spc_read_state(virt_domain) 832 | container_spc_rw_pipes(virt_domain) 833 | allow container_runtime_t virtd_t:process transition; 834 | allow container_runtime_t virt_domain:process transition; 835 | allow virt_domain container_file_t:file entrypoint; 836 | allow virtd_t container_file_t:file entrypoint; 837 | manage_files_pattern(virt_domain, container_file_t, container_file_t) 838 | manage_dirs_pattern(virt_domain, container_file_t, container_file_t) 839 | manage_lnk_files_pattern(virt_domain, container_file_t, container_file_t) 840 | read_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t) 841 | read_lnk_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t) 842 | 843 | can_exec(virt_domain, container_file_t) 844 | 845 | manage_files_pattern(virtd_t, container_file_t, container_file_t) 846 | manage_dirs_pattern(virtd_t, container_file_t, container_file_t) 847 | manage_lnk_files_pattern(virtd_t, container_file_t, container_file_t) 848 | read_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t) 849 | read_lnk_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t) 850 | 851 | can_exec(virtd_t, container_file_t) 852 | 853 | 854 | ') 855 | 856 | ######################################## 857 | # 858 | # container_auth local policy 859 | # 860 | allow container_auth_t self:fifo_file rw_fifo_file_perms; 861 | allow container_auth_t self:unix_stream_socket create_stream_socket_perms; 862 | dontaudit container_auth_t self:capability net_admin; 863 | 864 | container_stream_connect(container_auth_t) 865 | 866 | manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) 867 | manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) 868 | manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) 869 | manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) 870 | files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file }) 871 | 872 | stream_connect_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) 873 | list_dirs_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t) 874 | 875 | domain_use_interactive_fds(container_auth_t) 876 | 877 | kernel_read_net_sysctls(container_auth_t) 878 | 879 | auth_use_nsswitch(container_auth_t) 880 | 881 | files_read_etc_files(container_auth_t) 882 | 883 | miscfiles_read_localization(container_auth_t) 884 | 885 | sysnet_dns_name_resolve(container_auth_t) 886 | 887 | ######################################## 888 | # 889 | # container_t local policy 890 | # 891 | # Currently this is called in virt.te 892 | # virt_sandbox_domain_template(container) 893 | # typealias container_t alias svirt_lxc_net_t; 894 | gen_require(` 895 | type container_t; 896 | type container_file_t; 897 | ') 898 | container_manage_files_template(container, container) 899 | 900 | typeattribute container_file_t container_file_type, user_home_type; 901 | typeattribute container_t container_domain, container_net_domain, container_user_domain; 902 | allow container_user_domain self:process getattr; 903 | allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint; 904 | allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms; 905 | allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map }; 906 | allow container_domain container_runtime_t:unix_dgram_socket sendto; 907 | 908 | allow container_domain container_runtime_domain:tun_socket relabelfrom; 909 | allow container_domain container_runtime_domain:fd use; 910 | allow container_runtime_domain container_domain:fd use; 911 | allow container_domain self:socket_class_set { create_socket_perms map accept }; 912 | allow container_domain self:lnk_file setattr; 913 | allow container_domain self:user_namespace create; 914 | 915 | dontaudit container_domain self:capability fsetid; 916 | allow container_domain self:association sendto; 917 | allow container_domain self:dir list_dir_perms; 918 | dontaudit container_domain self:dir { write add_name }; 919 | allow container_domain self:file rw_file_perms; 920 | allow container_domain self:lnk_file read_file_perms; 921 | allow container_domain self:fifo_file create_fifo_file_perms; 922 | allow container_domain self:fifo_file watch; 923 | allow container_domain self:filesystem associate; 924 | allow container_domain self:key manage_key_perms; 925 | allow container_domain self:netlink_route_socket r_netlink_socket_perms; 926 | allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; 927 | allow container_domain self:netlink_xfrm_socket create_socket_perms; 928 | allow container_domain self:packet_socket create_socket_perms; 929 | allow container_domain self:passwd rootok; 930 | allow container_domain self:peer recv; 931 | allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate}; 932 | allow container_domain self:sem create_sem_perms; 933 | allow container_domain self:shm create_shm_perms; 934 | allow container_domain self:socket create_socket_perms; 935 | allow container_domain self:tcp_socket create_socket_perms; 936 | allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue }; 937 | allow container_domain self:udp_socket create_socket_perms; 938 | allow container_domain self:unix_dgram_socket create_socket_perms; 939 | allow container_domain self:unix_stream_socket create_stream_socket_perms; 940 | dontaudit container_domain self:capability2 block_suspend ; 941 | allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms }; 942 | fs_fusefs_entrypoint(spc_t) 943 | 944 | container_read_share_files(container_domain) 945 | container_exec_share_files(container_domain) 946 | container_use_ptys(container_domain) 947 | container_spc_stream_connect(container_domain) 948 | 949 | dev_dontaudit_mounton_sysfs(container_domain) 950 | dev_dontaudit_mounton_sysfs(container_domain) 951 | dev_dontaudit_mounton_sysfs(container_domain) 952 | dev_getattr_mtrr_dev(container_domain) 953 | dev_list_sysfs(container_domain) 954 | dev_mounton_sysfs(container_t) 955 | dev_read_mtrr(container_domain) 956 | dev_read_rand(container_domain) 957 | dev_read_sysfs(container_domain) 958 | dev_read_urand(container_domain) 959 | dev_rw_inherited_dri(container_domain) 960 | dev_rw_kvm(container_domain) 961 | dev_rwx_zero(container_domain) 962 | dev_write_rand(container_domain) 963 | dev_write_urand(container_domain) 964 | allow container_domain sysfs_t:dir watch; 965 | 966 | dontaudit container_domain container_runtime_tmpfs_t:dir read; 967 | allow container_domain container_runtime_tmpfs_t:dir mounton; 968 | can_exec(container_domain, container_runtime_tmpfs_t) 969 | 970 | allow container_domain self:key manage_key_perms; 971 | dontaudit container_domain container_domain:key search; 972 | 973 | allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; 974 | allow container_domain self:fifo_file manage_file_perms; 975 | allow container_domain self:msg all_msg_perms; 976 | allow container_domain self:sem create_sem_perms; 977 | allow container_domain self:shm create_shm_perms; 978 | allow container_domain self:msgq create_msgq_perms; 979 | allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto }; 980 | allow container_domain self:unix_dgram_socket { sendto create_socket_perms }; 981 | allow container_domain self:passwd rootok; 982 | allow container_domain self:filesystem associate; 983 | allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; 984 | allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write }; 985 | 986 | kernel_getattr_proc(container_domain) 987 | kernel_list_all_proc(container_domain) 988 | kernel_mounton_all_proc(container_domain) 989 | kernel_read_all_sysctls(container_domain) 990 | kernel_dontaudit_write_kernel_sysctl(container_domain) 991 | kernel_read_network_state(container_domain) 992 | kernel_rw_net_sysctls(container_domain) 993 | kernel_rw_unix_sysctls(container_domain) 994 | kernel_dontaudit_search_kernel_sysctl(container_domain) 995 | kernel_dontaudit_access_check_proc(container_domain) 996 | kernel_dontaudit_setattr_proc_files(container_domain) 997 | kernel_dontaudit_setattr_proc_dirs(container_domain) 998 | kernel_dontaudit_write_usermodehelper_state(container_domain) 999 | kernel_read_irq_sysctls(container_domain) 1000 | kernel_get_sysvipc_info(container_domain) 1001 | 1002 | fs_dontaudit_getattr_all_dirs(container_domain) 1003 | fs_dontaudit_getattr_all_files(container_domain) 1004 | fs_dontaudit_remount_tmpfs(container_domain) 1005 | fs_dontaudit_remount_tmpfs(container_domain) 1006 | fs_exec_fusefs_files(container_domain) 1007 | fs_exec_hugetlbfs_files(container_domain) 1008 | fs_fusefs_entrypoint(container_domain) 1009 | fs_getattr_all_fs(container_domain) 1010 | fs_list_cgroup_dirs(container_domain) 1011 | fs_list_hugetlbfs(container_domain) 1012 | fs_manage_bpf_files(container_domain) 1013 | fs_manage_fusefs_dirs(container_domain) 1014 | fs_manage_fusefs_files(container_domain) 1015 | fs_manage_fusefs_named_pipes(container_domain) 1016 | fs_manage_fusefs_named_sockets(container_domain) 1017 | fs_manage_fusefs_symlinks(container_domain) 1018 | fs_manage_hugetlbfs_files(container_domain) 1019 | fs_mount_fusefs(container_domain) 1020 | fs_unmount_fusefs(container_domain) 1021 | fs_mount_tmpfs(container_domain) 1022 | fs_unmount_tmpfs(container_domain) 1023 | fs_mount_xattr_fs(container_domain) 1024 | fs_unmount_xattr_fs(container_domain) 1025 | fs_mounton_cgroup(container_domain) 1026 | fs_mounton_fusefs(container_domain) 1027 | fs_read_cgroup_files(container_domain) 1028 | fs_read_nsfs_files(container_domain) 1029 | fs_read_tmpfs_symlinks(container_domain) 1030 | fs_remount_xattr_fs(container_domain) 1031 | fs_rw_inherited_tmpfs_files(container_domain) 1032 | fs_rw_onload_sockets(container_domain) 1033 | fs_search_tmpfs(container_domain) 1034 | fs_unmount_cgroup(container_domain) 1035 | fs_unmount_fusefs(container_domain) 1036 | fs_unmount_nsfs(container_domain) 1037 | fs_unmount_xattr_fs(container_domain) 1038 | 1039 | term_use_all_inherited_terms(container_domain) 1040 | 1041 | userdom_use_user_ptys(container_domain) 1042 | userdom_rw_inherited_user_pipes(container_domain) 1043 | 1044 | domain_user_exemption_target(container_t) 1045 | domain_dontaudit_link_all_domains_keyrings(container_domain) 1046 | domain_dontaudit_search_all_domains_keyrings(container_domain) 1047 | domain_dontaudit_search_all_domains_state(container_domain) 1048 | 1049 | virt_sandbox_net_domain(container_t) 1050 | 1051 | logging_send_syslog_msg(container_t) 1052 | 1053 | gen_require(` 1054 | type container_file_t; 1055 | ') 1056 | # fs_associate_cgroupfs(container_file_t) 1057 | gen_require(` 1058 | type cgroup_t; 1059 | ') 1060 | 1061 | files_read_kernel_modules(container_domain) 1062 | 1063 | allow container_file_t cgroup_t:filesystem associate; 1064 | term_pty(container_file_t) 1065 | logging_log_file(container_file_t) 1066 | tunable_policy(`virt_sandbox_use_sys_admin',` 1067 | allow container_t self:capability sys_admin; 1068 | allow container_t self:cap_userns sys_admin; 1069 | ') 1070 | 1071 | allow container_domain self:cap_userns sys_admin; 1072 | allow container_domain self:process { getsession execstack execmem }; 1073 | 1074 | corenet_unconfined(container_t) 1075 | 1076 | optional_policy(` 1077 | virt_default_capabilities(container_t) 1078 | ') 1079 | kernel_rw_rpc_sysctls(container_domain) 1080 | kernel_rw_net_sysctls(container_domain) 1081 | kernel_read_messages(container_t) 1082 | kernel_read_network_state(container_domain) 1083 | kernel_dontaudit_write_proc_files(container_domain) 1084 | 1085 | # Container Net Domain 1086 | corenet_tcp_bind_generic_node(container_net_domain) 1087 | corenet_udp_bind_generic_node(container_net_domain) 1088 | corenet_raw_bind_generic_node(container_net_domain) 1089 | corenet_tcp_sendrecv_all_ports(container_net_domain) 1090 | corenet_udp_sendrecv_all_ports(container_net_domain) 1091 | corenet_udp_bind_all_ports(container_net_domain) 1092 | corenet_tcp_bind_all_ports(container_net_domain) 1093 | corenet_tcp_connect_all_ports(container_net_domain) 1094 | 1095 | allow container_net_domain self:udp_socket create_socket_perms; 1096 | allow container_net_domain self:tcp_socket create_stream_socket_perms; 1097 | allow container_net_domain self:tun_socket create_socket_perms; 1098 | allow container_net_domain self:netlink_route_socket create_netlink_socket_perms; 1099 | allow container_net_domain self:sctp_socket listen; 1100 | allow container_net_domain self:packet_socket create_socket_perms; 1101 | allow container_net_domain self:socket create_socket_perms; 1102 | allow container_net_domain self:rawip_socket create_stream_socket_perms; 1103 | allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms; 1104 | allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms; 1105 | 1106 | allow container_domain spc_t:unix_stream_socket { read write }; 1107 | kernel_unlabeled_domtrans(container_runtime_domain, spc_t) 1108 | kernel_unlabeled_entry_type(spc_t) 1109 | allow container_runtime_domain unlabeled_t:key manage_key_perms; 1110 | #kernel_dontaudit_write_usermodehelper_state(container_t) 1111 | gen_require(` 1112 | type usermodehelper_t; 1113 | ') 1114 | dontaudit container_domain usermodehelper_t:file write; 1115 | 1116 | sysnet_read_config(container_domain) 1117 | 1118 | allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; 1119 | 1120 | optional_policy(` 1121 | gssproxy_stream_connect(container_domain) 1122 | ') 1123 | 1124 | optional_policy(` 1125 | rpm_read_cache(container_domain) 1126 | rpm_read_db(container_domain) 1127 | rpm_transition_script(spc_t, system_r) 1128 | ') 1129 | 1130 | optional_policy(` 1131 | sssd_stream_connect(container_domain) 1132 | ') 1133 | 1134 | optional_policy(` 1135 | systemd_dbus_chat_logind(container_domain) 1136 | ') 1137 | 1138 | tunable_policy(`container_manage_cgroup',` 1139 | fs_manage_cgroup_dirs(container_domain) 1140 | fs_manage_cgroup_files(container_domain) 1141 | ') 1142 | 1143 | storage_rw_fuse(container_domain) 1144 | allow container_domain fusefs_t:file { mounton execmod }; 1145 | allow container_domain fusefs_t:filesystem remount; 1146 | 1147 | tunable_policy(`virt_sandbox_use_netlink',` 1148 | allow container_domain self:netlink_socket create_socket_perms; 1149 | allow container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms; 1150 | allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; 1151 | ', ` 1152 | logging_dontaudit_send_audit_msgs(container_domain) 1153 | ') 1154 | 1155 | tunable_policy(`virt_sandbox_use_audit',` 1156 | logging_send_audit_msgs(container_t) 1157 | ') 1158 | 1159 | optional_policy(` 1160 | gen_require(` 1161 | type sysctl_kernel_ns_last_pid_t; 1162 | ') 1163 | 1164 | kernel_search_network_sysctl(container_domain) 1165 | allow container_domain sysctl_kernel_ns_last_pid_t:file rw_file_perms; 1166 | allow container_domain sysctl_kernel_ns_last_pid_t:dir list_dir_perms; 1167 | ') 1168 | 1169 | tunable_policy(`virt_sandbox_use_all_caps',` 1170 | allow container_domain self:capability ~{ sys_module }; 1171 | allow container_domain self:capability2 ~{ mac_override mac_admin }; 1172 | allow container_domain self:cap_userns ~{ sys_module }; 1173 | allow container_domain self:cap2_userns ~{ mac_override mac_admin }; 1174 | ') 1175 | 1176 | tunable_policy(`virt_sandbox_use_mknod',` 1177 | allow container_domain self:capability mknod; 1178 | allow container_domain self:cap_userns mknod; 1179 | ') 1180 | 1181 | optional_policy(` 1182 | gen_require(` 1183 | role unconfined_r; 1184 | type unconfined_service_t; 1185 | type unconfined_service_exec_t; 1186 | ') 1187 | 1188 | virt_transition_svirt_sandbox(unconfined_service_t, system_r) 1189 | container_filetrans_named_content(unconfined_service_t) 1190 | container_runtime_domtrans(unconfined_service_t) 1191 | role_transition unconfined_r unconfined_service_exec_t system_r; 1192 | allow container_runtime_domain unconfined_service_t:fifo_file setattr; 1193 | allow unconfined_service_t container_domain:process dyntransition; 1194 | allow unconfined_service_t unlabeled_t:key manage_key_perms; 1195 | ') 1196 | 1197 | optional_policy(` 1198 | gen_require(` 1199 | attribute unconfined_domain_type; 1200 | ') 1201 | 1202 | container_filetrans_named_content(unconfined_domain_type) 1203 | allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition }; 1204 | allow unconfined_domain_type unlabeled_t:key manage_key_perms; 1205 | ') 1206 | 1207 | # 1208 | # container_userns_t policy 1209 | # 1210 | container_domain_template(container_userns, container) 1211 | 1212 | typeattribute container_userns_t sandbox_net_domain, container_user_domain; 1213 | dev_mount_sysfs_fs(container_userns_t) 1214 | dev_mounton_sysfs(container_userns_t) 1215 | 1216 | fs_mount_tmpfs(container_userns_t) 1217 | fs_unmount_tmpfs(container_userns_t) 1218 | fs_relabelfrom_tmpfs(container_userns_t) 1219 | fs_remount_cgroup(container_userns_t) 1220 | 1221 | kernel_mount_proc(container_userns_t) 1222 | kernel_mounton_proc(container_userns_t) 1223 | 1224 | term_use_generic_ptys(container_userns_t) 1225 | term_setattr_generic_ptys(container_userns_t) 1226 | term_mount_pty_fs(container_userns_t) 1227 | 1228 | allow container_userns_t self:capability ~{ sys_module }; 1229 | allow container_userns_t self:capability2 ~{ mac_override mac_admin }; 1230 | allow container_userns_t self:cap_userns ~{ sys_module }; 1231 | allow container_userns_t self:cap2_userns ~{ mac_override mac_admin }; 1232 | allow container_userns_t self:capability mknod; 1233 | allow container_userns_t self:cap_userns mknod; 1234 | 1235 | optional_policy(` 1236 | gen_require(` 1237 | type proc_t, proc_kcore_t; 1238 | type sysctl_t, sysctl_irq_t; 1239 | ') 1240 | 1241 | allow container_userns_t proc_t:filesystem { remount }; 1242 | allow container_userns_t proc_kcore_t:file mounton; 1243 | allow container_userns_t sysctl_irq_t:dir mounton; 1244 | allow container_userns_t sysctl_t:dir mounton; 1245 | allow container_userns_t sysctl_t:file mounton; 1246 | ') 1247 | 1248 | 1249 | tunable_policy(`virt_sandbox_use_sys_admin',` 1250 | allow container_userns_t self:capability sys_admin; 1251 | allow container_userns_t self:cap_userns sys_admin; 1252 | ') 1253 | 1254 | # Container Logreader 1255 | container_domain_template(container_logreader, container) 1256 | typeattribute container_logreader_t container_net_domain; 1257 | logging_read_all_logs(container_logreader_t) 1258 | # Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges 1259 | allow container_logreader_t logfile:lnk_file read_lnk_file_perms; 1260 | logging_read_audit_log(container_logreader_t) 1261 | logging_list_logs(container_logreader_t) 1262 | allow container_logreader_t container_log_t:file watch; 1263 | 1264 | # Container Logwriter 1265 | container_domain_template(container_logwriter, container) 1266 | typeattribute container_logwriter_t container_net_domain; 1267 | logging_read_all_logs(container_logwriter_t) 1268 | manage_files_pattern(container_logwriter_t, logfile, logfile) 1269 | manage_dirs_pattern(container_logwriter_t, logfile, logfile) 1270 | manage_lnk_files_pattern(container_logwriter_t, logfile, logfile) 1271 | logging_manage_audit_log(container_logwriter_t) 1272 | allow container_logwriter_t container_log_t:file watch; 1273 | 1274 | optional_policy(` 1275 | gen_require(` 1276 | type sysadm_t, staff_t, user_t; 1277 | role sysadm_r, staff_r, user_r; 1278 | attribute userdomain; 1279 | ') 1280 | 1281 | allow userdomain container_domain:process transition; 1282 | 1283 | can_exec(userdomain, container_runtime_exec_t) 1284 | container_manage_files(userdomain) 1285 | container_manage_share_dirs(userdomain) 1286 | container_manage_share_files(userdomain) 1287 | 1288 | allow userdomain conmon_exec_t:file entrypoint; 1289 | container_runtime_run(sysadm_t, sysadm_r) 1290 | role sysadm_r types container_domain; 1291 | role sysadm_r types spc_t; 1292 | 1293 | container_runtime_run(staff_t, staff_r) 1294 | role staff_r types container_user_domain; 1295 | 1296 | allow userdomain self:cap_userns ~{ sys_module }; 1297 | container_read_state(userdomain) 1298 | allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh }; 1299 | container_runtime_run(user_t, user_r) 1300 | role user_r types container_user_domain; 1301 | 1302 | staff_role_change_to(system_r) 1303 | 1304 | allow staff_t container_runtime_t:process signal_perms; 1305 | allow staff_t container_domain:process signal_perms; 1306 | allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt }; 1307 | ') 1308 | 1309 | gen_require(` 1310 | type init_t; 1311 | ') 1312 | container_manage_lib_files(init_t) 1313 | container_manage_lib_dirs(init_t) 1314 | container_manage_share_files(init_t) 1315 | container_manage_share_dirs(init_t) 1316 | container_filetrans_named_content(init_t) 1317 | container_runtime_read_tmpfs_files(init_t) 1318 | 1319 | gen_require(` 1320 | attribute device_node; 1321 | type device_t; 1322 | attribute sysctl_type; 1323 | ') 1324 | dontaudit container_domain device_node:chr_file setattr; 1325 | dontaudit container_domain sysctl_type:file write; 1326 | allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt }; 1327 | 1328 | allow container_t proc_t:filesystem remount; 1329 | 1330 | # Container kvm - Policy for running kata containers 1331 | container_domain_template(container_kvm, container) 1332 | typeattribute container_kvm_t container_net_domain, container_user_domain; 1333 | 1334 | type container_kvm_var_run_t; 1335 | files_pid_file(container_kvm_var_run_t) 1336 | filetrans_pattern(container_kvm_t, container_var_run_t, container_kvm_var_run_t, {file sock_file dir}) 1337 | filetrans_pattern(container_runtime_t, container_var_run_t, container_kvm_var_run_t, dir, "kata-containers") 1338 | 1339 | manage_dirs_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) 1340 | manage_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) 1341 | manage_fifo_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) 1342 | manage_sock_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) 1343 | manage_lnk_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) 1344 | files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file }) 1345 | files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file }) 1346 | allow container_kvm_t container_kvm_var_run_t:{file dir} mounton; 1347 | 1348 | allow container_kvm_t container_runtime_t:unix_stream_socket rw_stream_socket_perms; 1349 | 1350 | container_stream_connect(container_kvm_t) 1351 | 1352 | allow container_kvm_t container_runtime_t:tun_socket attach_queue; 1353 | 1354 | dev_rw_inherited_vhost(container_kvm_t) 1355 | dev_rw_vfio_dev(container_kvm_t) 1356 | 1357 | corenet_rw_inherited_tun_tap_dev(container_kvm_t) 1358 | corecmd_exec_shell(container_kvm_t) 1359 | corecmd_exec_bin(container_kvm_t) 1360 | corecmd_bin_entry_type(container_kvm_t) 1361 | 1362 | # virtiofs causes these AVC messages. 1363 | kernel_mount_proc(container_kvm_t) 1364 | kernel_mounton_proc(container_kvm_t) 1365 | kernel_unmount_proc(container_kvm_t) 1366 | kernel_dgram_send(container_kvm_t) 1367 | files_mounton_rootfs(container_kvm_t) 1368 | 1369 | auth_read_passwd(container_kvm_t) 1370 | logging_send_syslog_msg(container_kvm_t) 1371 | 1372 | optional_policy(` 1373 | qemu_entry_type(container_kvm_t) 1374 | qemu_exec(container_kvm_t) 1375 | allow container_kvm_t qemu_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; 1376 | ') 1377 | 1378 | manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t) 1379 | 1380 | dev_rw_kvm(container_kvm_t) 1381 | 1382 | sssd_read_public_files(container_kvm_t) 1383 | 1384 | # Container init - Policy for running systemd based containers 1385 | container_domain_template(container_init, container) 1386 | typeattribute container_init_t container_init_domain, container_net_domain, container_user_domain; 1387 | 1388 | corenet_unconfined(container_init_t) 1389 | 1390 | allow container_init_t device_t:filesystem { remount unmount }; 1391 | 1392 | dev_mounton_sysfs(container_init_domain) 1393 | 1394 | fs_manage_cgroup_dirs(container_init_domain) 1395 | fs_manage_cgroup_files(container_init_domain) 1396 | fs_mounton_cgroup(container_init_domain) 1397 | fs_unmount_cgroup(container_init_domain) 1398 | fs_unmount_tmpfs(container_init_domain) 1399 | 1400 | kernel_mounton_proc(container_init_t) 1401 | kernel_unmount_proc(container_init_t) 1402 | 1403 | logging_send_syslog_msg(container_init_t) 1404 | 1405 | allow container_init_domain proc_t:filesystem remount; 1406 | 1407 | optional_policy(` 1408 | virt_default_capabilities(container_init_t) 1409 | ') 1410 | 1411 | tunable_policy(`container_use_devices',` 1412 | allow container_domain device_node:chr_file {rw_chr_file_perms map}; 1413 | allow container_domain device_node:blk_file {rw_blk_file_perms map}; 1414 | ') 1415 | 1416 | tunable_policy(`container_use_xserver_devices',` 1417 | dev_getattr_xserver_misc_dev(container_t) 1418 | dev_rw_xserver_misc(container_t) 1419 | ') 1420 | 1421 | tunable_policy(`container_use_dri_devices',` 1422 | dev_rw_dri(container_domain) 1423 | ') 1424 | 1425 | tunable_policy(`virt_sandbox_use_sys_admin',` 1426 | allow container_init_t self:capability sys_admin; 1427 | allow container_init_t self:cap_userns sys_admin; 1428 | ') 1429 | 1430 | allow container_init_domain self:netlink_audit_socket nlmsg_relay; 1431 | 1432 | # container_engine_t is for running a container engine within a container 1433 | # 1434 | container_domain_template(container_engine, container) 1435 | typeattribute container_engine_t container_net_domain; 1436 | 1437 | fs_mounton_cgroup(container_engine_t) 1438 | fs_unmount_cgroup(container_engine_t) 1439 | fs_manage_cgroup_dirs(container_engine_t) 1440 | fs_manage_cgroup_files(container_engine_t) 1441 | fs_write_cgroup_files(container_engine_t) 1442 | fs_remount_cgroup(container_engine_t) 1443 | fs_mount_all_fs(container_engine_t) 1444 | fs_remount_all_fs(container_engine_t) 1445 | fs_unmount_all_fs(container_engine_t) 1446 | kernel_mounton_all_sysctls(container_engine_t) 1447 | kernel_mount_proc(container_engine_t) 1448 | kernel_mounton_proc(container_engine_t) 1449 | kernel_mounton_core_if(container_engine_t) 1450 | kernel_mounton_systemd_ProtectKernelTunables(container_engine_t) 1451 | term_mount_pty_fs(container_engine_t) 1452 | term_use_generic_ptys(container_engine_t) 1453 | 1454 | allow container_engine_t container_file_t:chr_file mounton; 1455 | allow container_engine_t filesystem_type:{dir file} mounton; 1456 | allow container_engine_t proc_kcore_t:file mounton; 1457 | allow container_engine_t proc_t:filesystem remount; 1458 | allow container_engine_t sysctl_t:{dir file} mounton; 1459 | allow container_engine_t fusefs_t:dir { relabelfrom relabelto }; 1460 | allow container_engine_t fusefs_t:file relabelto; 1461 | allow container_engine_t kernel_t:system module_request; 1462 | allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms }; 1463 | allow container_engine_t random_device_t:chr_file mounton; 1464 | allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read; 1465 | allow container_engine_t urandom_device_t:chr_file mounton; 1466 | allow container_engine_t zero_device_t:chr_file mounton; 1467 | allow container_engine_t container_file_t:sock_file mounton; 1468 | allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms }; 1469 | allow container_engine_t devpts_t:chr_file setattr; 1470 | 1471 | manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t) 1472 | 1473 | optional_policy(` 1474 | gen_require(` 1475 | type devtty_t; 1476 | ') 1477 | allow container_engine_t devtty_t:chr_file mounton; 1478 | ') 1479 | 1480 | type kubelet_t, container_runtime_domain; 1481 | domain_type(kubelet_t) 1482 | 1483 | optional_policy(` 1484 | gen_require(` 1485 | role unconfined_r; 1486 | ') 1487 | role unconfined_r types kubelet_t; 1488 | unconfined_domain(kubelet_t) 1489 | ') 1490 | 1491 | manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t) 1492 | 1493 | type kubelet_exec_t; 1494 | application_executable_file(kubelet_exec_t) 1495 | can_exec(container_runtime_t, kubelet_exec_t) 1496 | allow kubelet_t kubelet_exec_t:file entrypoint; 1497 | 1498 | type kubelet_var_lib_t; 1499 | files_type(kubelet_var_lib_t) 1500 | 1501 | manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) 1502 | manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) 1503 | manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) 1504 | manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) 1505 | 1506 | files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources") 1507 | filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources") 1508 | 1509 | ifdef(`enable_mcs',` 1510 | init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh) 1511 | ') 1512 | 1513 | ifdef(`enable_mls',` 1514 | init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh) 1515 | ') 1516 | mls_trusted_object(kubelet_t) 1517 | 1518 | init_daemon_domain(kubelet_t, kubelet_exec_t) 1519 | 1520 | admin_pattern(kubelet_t, kubernetes_file_t) 1521 | 1522 | optional_policy(` 1523 | gen_require(` 1524 | type sysadm_t; 1525 | role sysadm_r; 1526 | role unconfined_r; 1527 | ') 1528 | 1529 | container_kubelet_run(sysadm_t, sysadm_r) 1530 | 1531 | unconfined_run_to(kubelet_t, kubelet_exec_t) 1532 | role_transition unconfined_r kubelet_exec_t system_r; 1533 | ') 1534 | 1535 | # Standard container which needs to be allowed to use any device 1536 | container_domain_template(container_device, container) 1537 | allow container_device_t device_node:chr_file rw_chr_file_perms; 1538 | 1539 | # Standard container which needs to be allowed to use any device and 1540 | # communicate with kubelet 1541 | container_domain_template(container_device_plugin, container) 1542 | typeattribute container_device_plugin_t container_net_domain; 1543 | allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; 1544 | dev_rw_sysfs(container_device_plugin_t) 1545 | kernel_read_debugfs(container_device_plugin_t) 1546 | container_kubelet_stream_connect(container_device_plugin_t) 1547 | stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t) 1548 | 1549 | # Standard container which needs to be allowed to use any device and 1550 | # modify kubelet configuration 1551 | container_domain_template(container_device_plugin_init, container) 1552 | allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms; 1553 | dev_rw_sysfs(container_device_plugin_init_t) 1554 | manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) 1555 | manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) 1556 | manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) 1557 | 1558 | optional_policy(` 1559 | gen_require(` 1560 | type syslogd_t; 1561 | ') 1562 | 1563 | allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms; 1564 | logging_send_syslog_msg(container_runtime_t) 1565 | ') 1566 | 1567 | 1568 | manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t) 1569 | manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) 1570 | manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) 1571 | manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) 1572 | manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) 1573 | manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) 1574 | 1575 | tunable_policy(`sshd_launch_containers',` 1576 | gen_require(` 1577 | type sshd_t; 1578 | type systemd_logind_t; 1579 | type iptables_var_run_t; 1580 | ') 1581 | 1582 | container_runtime_domtrans(sshd_t) 1583 | dontaudit systemd_logind_t iptables_var_run_t:dir read; 1584 | ') 1585 | 1586 | role container_user_r; 1587 | userdom_restricted_user_template(container_user) 1588 | userdom_manage_home_role(container_user_r, container_user_t) 1589 | 1590 | allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop }; 1591 | 1592 | role container_user_r types container_domain; 1593 | role container_user_r types container_user_domain; 1594 | role container_user_r types container_net_domain; 1595 | role container_user_r types container_file_type; 1596 | container_runtime_run(container_user_t, container_user_r) 1597 | unconfined_role_change_to(container_user_r) 1598 | 1599 | container_use_ptys(container_user_t) 1600 | 1601 | fs_manage_cgroup_dirs(container_user_t) 1602 | fs_manage_cgroup_files(container_user_t) 1603 | 1604 | selinux_compute_access_vector(container_user_t) 1605 | systemd_dbus_chat_hostnamed(container_user_t) 1606 | systemd_start_systemd_services(container_user_t) 1607 | 1608 | allow container_runtime_t container_user_t:process transition; 1609 | allow container_runtime_t container_user_t:process2 nnp_transition; 1610 | allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms; 1611 | 1612 | allow container_user_t container_file_t:chr_file manage_chr_file_perms; 1613 | allow container_user_t container_file_t:file entrypoint; 1614 | 1615 | allow container_domain container_file_t:file entrypoint; 1616 | allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read }; 1617 | allow container_domain container_var_lib_t:file entrypoint; 1618 | allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write }; 1619 | 1620 | allow install_t container_runtime_t:process2 { nnp_transition nosuid_transition }; 1621 | 1622 | corecmd_entrypoint_all_executables(container_kvm_t) 1623 | allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; 1624 | allow svirt_sandbox_domain mountpoint:file entrypoint; 1625 | 1626 | tunable_policy(`deny_ptrace',`',` 1627 | allow container_domain self:process ptrace; 1628 | allow spc_t self:process ptrace; 1629 | ') 1630 | 1631 | # netavark needs to write to /run/sysctl.d and needs the right label for systemd to read it. 1632 | # https://issues.redhat.com/browse/RHEL-91380 1633 | files_pid_filetrans(container_runtime_t, system_conf_t, dir, "sysctl.d") 1634 | -------------------------------------------------------------------------------- /container_contexts: -------------------------------------------------------------------------------- 1 | process = "system_u:system_r:container_t:s0" 2 | file = "system_u:object_r:container_file_t:s0" 3 | ro_file="system_u:object_r:container_ro_file_t:s0" 4 | kvm_process = "system_u:system_r:container_kvm_t:s0" 5 | init_process = "system_u:system_r:container_init_t:s0" 6 | engine_process = "system_u:system_r:container_engine_t:s0" 7 | -------------------------------------------------------------------------------- /container_selinux.8: -------------------------------------------------------------------------------- 1 | .TH "container_selinux" "8" "25-03-11" "container" "SELinux Policy container" 2 | .SH "NAME" 3 | container_selinux \- Security Enhanced Linux Policy for the container processes 4 | .SH "DESCRIPTION" 5 | 6 | Security-Enhanced Linux secures the container processes via flexible mandatory access control. 7 | 8 | The container processes execute with the container_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. 9 | 10 | For example: 11 | 12 | .B ps -eZ | grep container_t 13 | 14 | 15 | .SH PROCESS TYPES 16 | SELinux defines process types (domains) for each process running on the system 17 | .PP 18 | You can see the context of a process using the \fB\-Z\fP option to \fBps\bP 19 | .PP 20 | Policy governs the access confined processes have to files. 21 | SELinux container policy is very flexible allowing users to setup their container processes in as secure a method as possible. 22 | .PP 23 | The following process types are defined for container: 24 | 25 | .EX 26 | .B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_user_t, container_t 27 | .EE 28 | .PP 29 | Note: 30 | .B semanage permissive -a container_t 31 | can be used to make the process type container_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. 32 | 33 | .SH "MCS Constrained" 34 | The SELinux process type container_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group. 35 | 36 | For example one process might be launched with container_t:s0:c1,c2, and another process launched with container_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4 37 | 38 | .SH BOOLEANS 39 | SELinux policy is customizable based on least access required. container policy is extremely flexible and has several booleans that allow you to manipulate the policy and run container with the tightest access possible. 40 | 41 | 42 | .PP 43 | If you want to allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration, you must turn on the container_use_xserver_devices boolean. Disabled by default. 44 | 45 | .EX 46 | .B setsebool -P container_use_xserver_devices 1 47 | 48 | .EE 49 | 50 | .PP 51 | If you want to deny any process from ptracing or debugging any other processes, you must turn on the deny_ptrace boolean. Disabled by default. 52 | 53 | .EX 54 | .B setsebool -P deny_ptrace 1 55 | 56 | .EE 57 | 58 | .PP 59 | If you want to allow sandbox containers to use all capabilities, you must turn on the virt_sandbox_use_all_caps boolean. Enabled by default. 60 | 61 | .EX 62 | .B setsebool -P virt_sandbox_use_all_caps 1 63 | 64 | .EE 65 | 66 | .PP 67 | If you want to allow sandbox containers to send audit messages, you must turn on the virt_sandbox_use_audit boolean. Enabled by default. 68 | 69 | .EX 70 | .B setsebool -P virt_sandbox_use_audit 1 71 | 72 | .EE 73 | 74 | .PP 75 | If you want to allow sandbox containers to use netlink system calls, you must turn on the virt_sandbox_use_netlink boolean. Disabled by default. 76 | 77 | .EX 78 | .B setsebool -P virt_sandbox_use_netlink 1 79 | 80 | .EE 81 | 82 | .PP 83 | If you want to allow sandbox containers to use sys_admin system calls, for example mount, you must turn on the virt_sandbox_use_sys_admin boolean. Disabled by default. 84 | 85 | .EX 86 | .B setsebool -P virt_sandbox_use_sys_admin 1 87 | 88 | .EE 89 | 90 | .SH PORT TYPES 91 | SELinux defines port types to represent TCP and UDP ports. 92 | .PP 93 | You can see the types associated with a port by using the following command: 94 | 95 | .B semanage port -l 96 | 97 | .PP 98 | Policy governs the access confined processes have to these ports. 99 | SELinux container policy is very flexible allowing users to setup their container processes in as secure a method as possible. 100 | .PP 101 | The following port types are defined for container: 102 | 103 | .EX 104 | .TP 5 105 | .B container_port_t 106 | .TP 10 107 | .EE 108 | 109 | .SH "MANAGED FILES" 110 | 111 | The SELinux process type container_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. 112 | 113 | .br 114 | .B bpf_t 115 | 116 | /sys/fs/bpf 117 | .br 118 | 119 | .br 120 | .B cifs_t 121 | 122 | 123 | .br 124 | .B container_file_t 125 | 126 | /srv/containers(/.*)? 127 | .br 128 | /var/lib/origin(/.*)? 129 | .br 130 | /var/lib/rkt/cas(/.*)? 131 | .br 132 | /var/lib/nerdctl/[^/]*/volumes(/.*)? 133 | .br 134 | /var/lib/buildkit/[^/]*/snapshots(/.*)? 135 | .br 136 | /var/srv/containers(/.*)? 137 | .br 138 | /var/lib/containerd/[^/]*/snapshots(/.*)? 139 | .br 140 | /var/lib/kubernetes/pods(/.*)? 141 | .br 142 | /opt/local-path-provisioner(/.*)? 143 | .br 144 | /var/local-path-provisioner(/.*)? 145 | .br 146 | /var/lib/containers/storage/volumes/[^/]*/.* 147 | .br 148 | /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.* 149 | .br 150 | 151 | .br 152 | .B ecryptfs_t 153 | 154 | /home/[^/]+/\.Private(/.*)? 155 | .br 156 | /home/[^/]+/\.ecryptfs(/.*)? 157 | .br 158 | 159 | .br 160 | .B fs_t 161 | 162 | 163 | .br 164 | .B fusefs_t 165 | 166 | /run/user/[0-9]+/gvfs 167 | .br 168 | 169 | .br 170 | .B hugetlbfs_t 171 | 172 | /dev/hugepages 173 | .br 174 | /usr/lib/udev/devices/hugepages 175 | .br 176 | 177 | .br 178 | .B nfs_t 179 | 180 | 181 | .br 182 | .B onload_fs_t 183 | 184 | 185 | .br 186 | .B svirt_home_t 187 | 188 | /home/[^/]+/\.libvirt/qemu(/.*)? 189 | .br 190 | /home/[^/]+/\.cache/libvirt/qemu(/.*)? 191 | .br 192 | /home/[^/]+/\.config/libvirt/qemu(/.*)? 193 | .br 194 | /home/[^/]+/\.local/share/libvirt/boot(/.*)? 195 | .br 196 | /home/[^/]+/\.local/share/libvirt/images(/.*)? 197 | .br 198 | /home/[^/]+/\.local/share/gnome-boxes/images(/.*)? 199 | .br 200 | 201 | .SH FILE CONTEXTS 202 | SELinux requires files to have an extended attribute to define the file type. 203 | .PP 204 | You can see the context of a file using the \fB\-Z\fP option to \fBls\bP 205 | .PP 206 | Policy governs the access confined processes have to these files. 207 | SELinux container policy is very flexible allowing users to setup their container processes in as secure a method as possible. 208 | .PP 209 | 210 | .PP 211 | .B EQUIVALENCE DIRECTORIES 212 | 213 | .PP 214 | container policy stores data with multiple different file context types under the /var/lib/buildkit directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command: 215 | .PP 216 | .B semanage fcontext -a -e /var/lib/buildkit /srv/buildkit 217 | .br 218 | .B restorecon -R -v /srv/buildkit 219 | .PP 220 | 221 | .PP 222 | container policy stores data with multiple different file context types under the /var/lib/containerd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command: 223 | .PP 224 | .B semanage fcontext -a -e /var/lib/containerd /srv/containerd 225 | .br 226 | .B restorecon -R -v /srv/containerd 227 | .PP 228 | 229 | .PP 230 | container policy stores data with multiple different file context types under the /var/lib/containers directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command: 231 | .PP 232 | .B semanage fcontext -a -e /var/lib/containers /srv/containers 233 | .br 234 | .B restorecon -R -v /srv/containers 235 | .PP 236 | 237 | .PP 238 | container policy stores data with multiple different file context types under the /var/lib/docker directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command: 239 | .PP 240 | .B semanage fcontext -a -e /var/lib/docker /srv/docker 241 | .br 242 | .B restorecon -R -v /srv/docker 243 | .PP 244 | 245 | .PP 246 | container policy stores data with multiple different file context types under the /var/lib/nerdctl directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command: 247 | .PP 248 | .B semanage fcontext -a -e /var/lib/nerdctl /srv/nerdctl 249 | .br 250 | .B restorecon -R -v /srv/nerdctl 251 | .PP 252 | 253 | .PP 254 | container policy stores data with multiple different file context types under the /var/lib/ocid directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command: 255 | .PP 256 | .B semanage fcontext -a -e /var/lib/ocid /srv/ocid 257 | .br 258 | .B restorecon -R -v /srv/ocid 259 | .PP 260 | 261 | .PP 262 | .B STANDARD FILE CONTEXT 263 | 264 | SELinux defines the file context types for the container, if you wanted to 265 | store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. 266 | 267 | .B semanage fcontext -a -t container_var_lib_t '/srv/container/content(/.*)?' 268 | .br 269 | .B restorecon -R -v /srv/mycontainer_content 270 | 271 | Note: SELinux often uses regular expressions to specify labels that match multiple files. 272 | 273 | .I The following file types are defined for container: 274 | 275 | 276 | .EX 277 | .PP 278 | .B container_auth_exec_t 279 | .EE 280 | 281 | - Set files with the container_auth_exec_t type, if you want to transition an executable to the container_auth_t domain. 282 | 283 | .br 284 | .TP 5 285 | Paths: 286 | /usr/s?bin/docker-novolume-plugin, /usr/lib/docker/docker-novolume-plugin 287 | 288 | .EX 289 | .PP 290 | .B container_config_t 291 | .EE 292 | 293 | - Set files with the container_config_t type, if you want to treat the files as container configuration data, usually stored under the /etc directory. 294 | 295 | .br 296 | .TP 5 297 | Paths: 298 | /etc/crio(/.*)?, /etc/docker(/.*)?, /etc/buildkit(/.*)?, /etc/containerd(/.*)?, /etc/docker-latest(/.*)? 299 | 300 | .EX 301 | .PP 302 | .B container_file_t 303 | .EE 304 | 305 | - Set files with the container_file_t type, if you want to treat the files as container content. 306 | 307 | .br 308 | .TP 5 309 | Paths: 310 | /srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubernetes/pods(/.*)?, /opt/local-path-provisioner(/.*)?, /var/local-path-provisioner(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.* 311 | 312 | .EX 313 | .PP 314 | .B container_home_t 315 | .EE 316 | 317 | - Set files with the container_home_t type, if you want to store container files in the users home directory. 318 | 319 | 320 | .EX 321 | .PP 322 | .B container_kvm_var_run_t 323 | .EE 324 | 325 | - Set files with the container_kvm_var_run_t type, if you want to store the container kvm files under the /run or /var/run directory. 326 | 327 | 328 | .EX 329 | .PP 330 | .B container_lock_t 331 | .EE 332 | 333 | - Set files with the container_lock_t type, if you want to treat the files as container lock data, stored under the /var/lock directory 334 | 335 | 336 | .EX 337 | .PP 338 | .B container_log_t 339 | .EE 340 | 341 | - Set files with the container_log_t type, if you want to treat the data as container log data, usually stored under the /var/log directory. 342 | 343 | .br 344 | .TP 5 345 | Paths: 346 | /var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/log/pods(/.*)?, /var/log/containers(/.*)?, /var/log/kube-apiserver(/.*)?, /var/lib/docker/containers/.*/.*\.log, /var/lib/docker-latest/containers/.*/.*\.log 347 | 348 | .EX 349 | .PP 350 | .B container_plugin_var_run_t 351 | .EE 352 | 353 | - Set files with the container_plugin_var_run_t type, if you want to store the container plugin files under the /run or /var/run directory. 354 | 355 | 356 | .EX 357 | .PP 358 | .B container_ro_file_t 359 | .EE 360 | 361 | - Set files with the container_ro_file_t type, if you want to treat the files as container ro content. 362 | 363 | .br 364 | .TP 5 365 | Paths: 366 | /var/lib/shared(/.*)?, /var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/artifacts(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/ramalama(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/artifacts(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)? 367 | 368 | .EX 369 | .PP 370 | .B container_runtime_exec_t 371 | .EE 372 | 373 | - Set files with the container_runtime_exec_t type, if you want to transition an executable to the container_runtime_t domain. 374 | 375 | .br 376 | .TP 5 377 | Paths: 378 | /usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/buildah, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin 379 | 380 | .EX 381 | .PP 382 | .B container_runtime_tmp_t 383 | .EE 384 | 385 | - Set files with the container_runtime_tmp_t type, if you want to store container runtime temporary files in the /tmp directories. 386 | 387 | 388 | .EX 389 | .PP 390 | .B container_runtime_tmpfs_t 391 | .EE 392 | 393 | - Set files with the container_runtime_tmpfs_t type, if you want to store container runtime files on a tmpfs file system. 394 | 395 | 396 | .EX 397 | .PP 398 | .B container_unit_file_t 399 | .EE 400 | 401 | - Set files with the container_unit_file_t type, if you want to treat the files as container unit content. 402 | 403 | .br 404 | .TP 5 405 | Paths: 406 | /usr/lib/systemd/system/lxd.*, /usr/lib/systemd/system/docker.*, /usr/lib/systemd/system/buildkit.*, /usr/lib/systemd/system/containerd.* 407 | 408 | .EX 409 | .PP 410 | .B container_var_lib_t 411 | .EE 412 | 413 | - Set files with the container_var_lib_t type, if you want to store the container files under the /var/lib directory. 414 | 415 | .br 416 | .TP 5 417 | Paths: 418 | /exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/crio(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/cache/containers(/.*)?, /var/lib/docker-latest(/.*)? 419 | 420 | .EX 421 | .PP 422 | .B container_var_run_t 423 | .EE 424 | 425 | - Set files with the container_var_run_t type, if you want to store the container files under the /run or /var/run directory. 426 | 427 | .br 428 | .TP 5 429 | Paths: 430 | /run/crio(/.*)?, /run/docker(/.*)?, /run/flannel(/.*)?, /run/buildkit(/.*)?, /run/containerd(/.*)?, /run/containers(/.*)?, /run/docker-client(/.*)?, /run/docker\.pid, /run/docker\.sock 431 | 432 | .PP 433 | Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the 434 | .B semanage fcontext 435 | command. This will modify the SELinux labeling database. You will need to use 436 | .B restorecon 437 | to apply the labels. 438 | 439 | .SH "COMMANDS" 440 | .B semanage fcontext 441 | can also be used to manipulate default file context mappings. 442 | .PP 443 | .B semanage permissive 444 | can also be used to manipulate whether or not a process type is permissive. 445 | .PP 446 | .B semanage module 447 | can also be used to enable/disable/install/remove policy modules. 448 | 449 | .B semanage port 450 | can also be used to manipulate the port definitions 451 | 452 | .B semanage boolean 453 | can also be used to manipulate the booleans 454 | 455 | .PP 456 | .B system-config-selinux 457 | is a GUI tool available to customize SELinux policy settings. 458 | 459 | .SH AUTHOR 460 | This manual page was auto-generated using 461 | .B "sepolicy manpage". 462 | 463 | .SH "SEE ALSO" 464 | selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8) -------------------------------------------------------------------------------- /container_u: -------------------------------------------------------------------------------- 1 | system_r:init_t:s0 container_user_r:container_user_t:s0 2 | system_r:local_login_t:s0 container_user_r:container_user_t:s0 3 | system_r:remote_login_t:s0 container_user_r:container_user_t:s0 4 | system_r:sshd_t:s0 container_user_r:container_user_t:s0 5 | system_r:cockpit_session_t:s0 container_user_r:container_user_t:s0 6 | system_r:crond_t:s0 container_user_r:container_user_t:s0 container_user_r:cronjob_t:s0 7 | system_r:xdm_t:s0 container_user_r:container_user_t:s0 8 | 9 | -------------------------------------------------------------------------------- /plans/main.fmf: -------------------------------------------------------------------------------- 1 | discover: 2 | how: fmf 3 | execute: 4 | how: tmt 5 | prepare: 6 | - when: distro == centos-stream or distro == rhel 7 | how: shell 8 | script: | 9 | dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm --eval '%{?rhel}').noarch.rpm 10 | dnf -y config-manager --set-enabled epel 11 | order: 10 12 | - when: initiator == packit 13 | how: shell 14 | script: | 15 | COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo" 16 | if compgen -G $COPR_REPO_FILE > /dev/null; then 17 | sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE 18 | fi 19 | dnf -y upgrade --allowerasing 20 | order: 20 21 | -------------------------------------------------------------------------------- /rpm/container-selinux.spec: -------------------------------------------------------------------------------- 1 | %global debug_package %{nil} 2 | 3 | # container-selinux stuff (prefix with ds_ for version/release etc.) 4 | # Some bits borrowed from the openstack-selinux package 5 | %global moduletype services 6 | %global modulenames container 7 | 8 | # Usage: _format var format 9 | # Expand 'modulenames' into various formats as needed 10 | # Format must contain '$x' somewhere to do anything useful 11 | %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done; 12 | 13 | # RHEL < 10 and Fedora < 40 use file context entries in /var/run 14 | %if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40 15 | %define legacy_var_run 1 16 | %endif 17 | 18 | # https://github.com/containers/container-selinux/issues/203 19 | %if %{!defined fedora} && %{!defined rhel} || %{defined rhel} && 0%{?rhel} <= 9 20 | %define no_user_namespace 1 21 | %endif 22 | 23 | # copr_build is more intuitive than copr_username 24 | %if %{defined copr_username} 25 | %define copr_build 1 26 | %endif 27 | 28 | Name: container-selinux 29 | # Set different Epochs for copr and koji 30 | %if %{defined copr_build} 31 | Epoch: 102 32 | %else 33 | Epoch: 4 34 | %endif 35 | # Keep Version in upstream specfile at 0. It will be automatically set 36 | # to the correct value by Packit for copr and koji builds. 37 | # IGNORE this comment if you're looking at it in dist-git. 38 | Version: 0 39 | Release: %autorelease 40 | License: GPL-2.0-only 41 | URL: https://github.com/containers/%{name} 42 | Summary: SELinux policies for container runtimes 43 | Source0: %{url}/archive/v%{version}.tar.gz 44 | BuildArch: noarch 45 | BuildRequires: make 46 | BuildRequires: git-core 47 | BuildRequires: pkgconfig(systemd) 48 | BuildRequires: selinux-policy >= %_selinux_policy_version 49 | BuildRequires: selinux-policy-devel >= %_selinux_policy_version 50 | # RE: rhbz#1195804 - ensure min NVR for selinux-policy 51 | Requires: selinux-policy >= %_selinux_policy_version 52 | Requires(post): selinux-policy-base >= %_selinux_policy_version 53 | Requires(post): selinux-policy-any >= %_selinux_policy_version 54 | Recommends: selinux-policy-targeted >= %_selinux_policy_version 55 | Requires(post): policycoreutils 56 | Requires(post): libselinux-utils 57 | Requires(post): sed 58 | Obsoletes: %{name} <= 2:1.12.5-13 59 | Obsoletes: docker-selinux <= 2:1.12.4-28 60 | Provides: docker-selinux = %{?epoch:%{epoch}:}%{version}-%{release} 61 | Conflicts: udica < 0.2.6-1 62 | Conflicts: k3s-selinux <= 0.4-1 63 | 64 | %description 65 | SELinux policy modules for use with container runtimes. 66 | 67 | %prep 68 | %autosetup -Sgit %{name}-%{version} 69 | 70 | sed -i 's/^man: install-policy/man:/' Makefile 71 | sed -i 's/^install: man/install:/' Makefile 72 | 73 | %if %{defined no_user_namespace} 74 | sed -i '/user_namespace/d' container.te 75 | %endif 76 | 77 | %if %{defined legacy_var_run} 78 | sed -i 's|^/run/|/var/run/|' container.fc 79 | %endif 80 | 81 | %build 82 | make 83 | 84 | %install 85 | # install policy modules 86 | %_format MODULES $x.pp.bz2 87 | %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user 88 | 89 | %pre 90 | %selinux_relabel_pre 91 | 92 | %post 93 | # Install all modules in a single transaction 94 | if [ $1 -eq 1 ]; then 95 | %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 96 | fi 97 | %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 98 | . %{_sysconfdir}/selinux/config 99 | %{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null 100 | %{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null 101 | %{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null 102 | %selinux_modules_install -s ${SELINUXTYPE} $MODULES 103 | sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types 104 | matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : 105 | 106 | %postun 107 | if [ $1 -eq 0 ]; then 108 | %selinux_modules_uninstall %{modulenames} docker 109 | fi 110 | 111 | %posttrans 112 | %selinux_relabel_post 113 | 114 | # Empty placeholder check to silence rpmlint 115 | %check 116 | 117 | #define license tag if not already defined 118 | %{!?_licensedir:%global license %doc} 119 | 120 | %files 121 | %doc README.md 122 | %{_datadir}/selinux/* 123 | %dir %{_datadir}/containers/selinux 124 | %{_datadir}/containers/selinux/contexts 125 | %dir %{_datadir}/udica 126 | %dir %{_datadir}/udica/templates/ 127 | %{_datadir}/udica/templates/* 128 | # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 129 | %{_mandir}/man8/container_selinux.8.gz 130 | %{_sysconfdir}/selinux/targeted/contexts/users/container_u 131 | %ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames} 132 | %ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames} 133 | 134 | %triggerpostun -- container-selinux < 2:2.162.1-3 135 | if %{_sbindir}/selinuxenabled ; then 136 | echo "Fixing Rootless SELinux labels in homedir" 137 | %{_sbindir}/restorecon -R /home/*/.local/share/containers/storage/overlay* 2> /dev/null 138 | fi 139 | 140 | %changelog 141 | %autochangelog 142 | -------------------------------------------------------------------------------- /rpm/gating.yaml: -------------------------------------------------------------------------------- 1 | --- !Policy 2 | product_versions: 3 | - fedora-* 4 | decision_contexts: 5 | - bodhi_update_push_stable 6 | - bodhi_update_push_testing 7 | rules: 8 | - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} 9 | 10 | --- !Policy 11 | product_versions: 12 | - rhel-* 13 | decision_context: osci_compose_gate 14 | rules: [] 15 | -------------------------------------------------------------------------------- /test/main.fmf: -------------------------------------------------------------------------------- 1 | require: 2 | - attr 3 | - bats 4 | - container-selinux 5 | - podman-tests 6 | - policycoreutils 7 | 8 | /basic_check: 9 | summary: Run basic checks 10 | test: | 11 | semodule --list=full | grep container 12 | semodule -B 13 | rpm -Vqf /var/lib/selinux/*/active/modules/200/container 14 | 15 | /podman_system_test: 16 | summary: Run SELinux specific Podman system tests 17 | test: bash ./podman-tests.sh 18 | -------------------------------------------------------------------------------- /test/podman-tests.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -exo pipefail 4 | 5 | cat /etc/redhat-release 6 | 7 | if [[ "$(id -u)" -ne 0 ]];then 8 | echo "Please run as superuser" 9 | exit 1 10 | fi 11 | 12 | # Print versions of distro and installed packages 13 | rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy 14 | 15 | # Run podman system tests 16 | bats /usr/share/podman/test/system/410-selinux.bats 17 | -------------------------------------------------------------------------------- /udica-templates/base_container.cil: -------------------------------------------------------------------------------- 1 | (block container 2 | (type process) 3 | (type socket) 4 | (roletype system_r process) 5 | (typeattributeset domain (process )) 6 | (typeattributeset container_domain (process )) 7 | (typeattributeset svirt_sandbox_domain (process )) 8 | (typeattributeset mcs_constrained_type (process )) 9 | (typeattributeset file_type (socket )) 10 | (allow process socket (sock_file (create open getattr setattr read write rename link unlink ioctl lock append))) 11 | (allow process proc_type (file (getattr open read))) 12 | (allow process cpu_online_t (file (getattr open read))) 13 | (allow container_runtime_t process (key (create link read search setattr view write))) 14 | ) 15 | -------------------------------------------------------------------------------- /udica-templates/config_container.cil: -------------------------------------------------------------------------------- 1 | (block config_container 2 | (optional config_container_optional 3 | (allow process configfile (dir (ioctl read getattr lock search open))) 4 | (allow process configfile (file (ioctl read getattr lock open))) 5 | (allow process configfile (lnk_file (read getattr))) 6 | ) 7 | ) 8 | 9 | (block config_rw_container 10 | (blockinherit config_container) 11 | (optional config_rw_container_optional 12 | (allow process configfile (dir (ioctl read write getattr lock append open))) 13 | (allow process configfile (file (ioctl read write getattr lock append open))) 14 | (allow process configfile (lnk_file (ioctl read write getattr lock append open))) 15 | ) 16 | ) 17 | 18 | (block config_manage_container 19 | (optional config_manage_container_optional 20 | (allow process configfile (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open))) 21 | (allow process configfile (file (ioctl read write create getattr setattr lock append unlink link rename open))) 22 | (allow process configfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename open))) 23 | ) 24 | ) 25 | -------------------------------------------------------------------------------- /udica-templates/home_container.cil: -------------------------------------------------------------------------------- 1 | (block home_container 2 | (optional home_container_optional 3 | (allow process process (capability (dac_override ))) 4 | 5 | (allow process user_home_dir_t (dir (getattr search open read lock ioctl))) 6 | (allow process home_root_t (dir (getattr search open read lock ioctl))) 7 | (allow process user_home_t (dir (getattr search open read lock ioctl))) 8 | 9 | (allow process user_home_dir_t (file (getattr ioctl lock open read))) 10 | (allow process user_home_t (file (getattr ioctl lock open read))) 11 | ) 12 | ) 13 | 14 | 15 | (block home_rw_container 16 | (blockinherit home_container) 17 | (optional home_rw_container_optional 18 | (allow process user_home_dir_t (dir (open getattr setattr read write link search add_name remove_name reparent lock ioctl))) 19 | (allow process home_root_t (dir (open getattr setattr read write link search add_name remove_name reparent lock ioctl))) 20 | (allow process user_home_t (dir (open getattr setattr read write link search add_name remove_name reparent lock ioctl))) 21 | 22 | (allow process user_home_t (file (open getattr read write append ioctl lock))) 23 | (allow process user_home_dir_t (file (open getattr read write append ioctl lock))) 24 | ) 25 | ) 26 | 27 | (block home_manage_container 28 | (blockinherit home_rw_container) 29 | (optional home_manage_container_optional 30 | (allow process user_home_dir_t (dir (create unlink rename rmdir ))) 31 | (allow process home_root_t (dir (create unlink rename rmdir ))) 32 | (allow process user_home_t (dir (create unlink rename rmdir ))) 33 | 34 | (allow process user_home_t (file (create rename link unlink ))) 35 | (allow process user_home_dir_t (file (create rename link unlink ))) 36 | ) 37 | ) 38 | -------------------------------------------------------------------------------- /udica-templates/log_container.cil: -------------------------------------------------------------------------------- 1 | (block log_container 2 | (optional log_container_optional 3 | (allow process var_t (dir (getattr search open))) 4 | (allow process logfile (dir (ioctl read getattr lock search open))) 5 | (allow process logfile (file (ioctl read getattr lock open map))) 6 | (allow process auditd_log_t (dir (ioctl read getattr lock search open))) 7 | (allow process auditd_log_t (file (ioctl read getattr lock open))) 8 | ) 9 | ) 10 | 11 | 12 | (block log_rw_container 13 | (blockinherit log_container) 14 | 15 | (optional log_rw_container_optional 16 | (allow process logfile (dir (ioctl read write create getattr setattr lock add_name search open))) 17 | (allow process logfile (file (ioctl read write create getattr setattr lock append open))) 18 | (allow process logfile (lnk_file (ioctl read write getattr lock append open))) 19 | (allow process var_t (dir (getattr search open))) 20 | (allow process auditd_log_t (dir (ioctl read getattr lock search open))) 21 | (allow process auditd_log_t (file (ioctl read getattr lock open))) 22 | ) 23 | ) 24 | 25 | (block log_manage_container 26 | (blockinherit log_rw_container) 27 | 28 | (optional log_manage_container_optional 29 | (allow process logfile (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open))) 30 | (allow process logfile (file (ioctl read write create getattr setattr lock append unlink link rename open))) 31 | (allow process logfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename))) 32 | (allow process auditd_log_t (dir (ioctl read write getattr lock search open))) 33 | (allow process auditd_log_t (file (ioctl read write getattr lock open))) 34 | ) 35 | ) 36 | -------------------------------------------------------------------------------- /udica-templates/net_container.cil: -------------------------------------------------------------------------------- 1 | (block net_container 2 | (optional net_container_optional 3 | (typeattributeset sandbox_net_domain (process)) 4 | ) 5 | ) 6 | 7 | (block restricted_net_container 8 | (optional restricted_net_container_optional 9 | (allow process process (tcp_socket (ioctl read getattr lock write setattr append bind connect getopt setopt shutdown create listen accept))) 10 | (allow process process (udp_socket (ioctl read getattr lock write setattr append bind connect getopt setopt shutdown create))) 11 | (allow process process (sctp_socket (ioctl read getattr lock write setattr append bind connect getopt setopt shutdown create))) 12 | 13 | (allow process proc_t (lnk_file (read))) 14 | 15 | (allow process node_t (node (tcp_recv tcp_send recvfrom sendto))) 16 | (allow process node_t (node (udp_recv recvfrom))) 17 | (allow process node_t (node (udp_send sendto))) 18 | 19 | (allow process node_t (udp_socket (node_bind))) 20 | (allow process node_t (tcp_socket (node_bind))) 21 | 22 | (allow process http_port_t (tcp_socket (name_connect))) 23 | (allow process http_port_t (tcp_socket (recv_msg send_msg))) 24 | ) 25 | ) 26 | -------------------------------------------------------------------------------- /udica-templates/tmp_container.cil: -------------------------------------------------------------------------------- 1 | (block tmp_container 2 | (optional tmp_container_optional 3 | (allow process tmpfile (dir (getattr search open))) 4 | (allow process tmpfile (file (ioctl read getattr lock open))) 5 | ) 6 | ) 7 | 8 | (block tmp_rw_container 9 | (blockinherit tmp_container) 10 | 11 | (optional tmp_rw_container_optional 12 | (allow process tmpfile (file (ioctl read write getattr lock append open))) 13 | (allow process tmpfile (dir (ioctl read write getattr lock append open))) 14 | ) 15 | ) 16 | -------------------------------------------------------------------------------- /udica-templates/tty_container.cil: -------------------------------------------------------------------------------- 1 | (block tty_container 2 | (optional tty_container_optional 3 | (allow process device_t (dir (getattr search open))) 4 | (allow process device_t (dir (ioctl read getattr lock search open))) 5 | (allow process device_t (lnk_file (read getattr))) 6 | 7 | (allow process devtty_t (chr_file (ioctl read write getattr lock append open))) 8 | ) 9 | ) 10 | -------------------------------------------------------------------------------- /udica-templates/virt_container.cil: -------------------------------------------------------------------------------- 1 | (block virt_container 2 | (optional virt_container_optional 3 | (allow process var_t (dir (getattr search open))) 4 | (allow process var_t (lnk_file (read getattr))) 5 | 6 | (allow process var_run_t (dir (getattr search open))) 7 | (allow process var_run_t (lnk_file (read getattr))) 8 | 9 | (allow process virt_var_run_t (dir (getattr search open))) 10 | (allow process virt_var_run_t (sock_file (write getattr append open))) 11 | 12 | (allow process virtd_t (unix_stream_socket (connectto))) 13 | ) 14 | ) 15 | -------------------------------------------------------------------------------- /udica-templates/x_container.cil: -------------------------------------------------------------------------------- 1 | (block x_container 2 | (optional x_container_optional 3 | (allow xserver_t process (shm (getattr read write associate unix_read unix_write lock))) 4 | 5 | (allow process xserver_t (unix_stream_socket (connectto))) 6 | 7 | (allow process device_t (dir (getattr search open))) 8 | 9 | (allow process dri_device_t (chr_file (ioctl read write getattr lock append open map))) 10 | 11 | (allow process xserver_misc_device_t (chr_file (ioctl read write getattr lock append open map))) 12 | 13 | (allow process urandom_device_t (chr_file (open read))) 14 | 15 | (allow process tmpfs_t (dir (getattr search open))) 16 | 17 | (allow process tmp_t (dir (getattr search open))) 18 | (allow process tmp_t (lnk_file (read getattr))) 19 | 20 | (allow process xserver_tmp_t (dir (getattr search open))) 21 | (allow process xserver_tmp_t (sock_file (write getattr append open))) 22 | 23 | (allow process xserver_exec_t (file (ioctl read getattr lock map execute execute_no_trans open))) 24 | ) 25 | ) 26 | --------------------------------------------------------------------------------