container: rework combined role interfaces

Rename and rework slightly some of the newly added interfaces. Namely,
make the "admin" interfaces use admin_pattern().

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-05-20 10:58:25 -04:00
parent e9ff08a057
commit 5a5df237b1
1 changed files with 10 additions and 19 deletions

View File

@ -229,8 +229,8 @@ template(`container_user_role',`
allow $3 container_user_domain:process { ptrace signal_perms }; allow $3 container_user_domain:process { ptrace signal_perms };
ps_process_pattern($3, container_user_domain) ps_process_pattern($3, container_user_domain)
container_admin_all_home_content($2)
container_admin_all_user_runtime_content($2) container_admin_all_user_runtime_content($2)
container_manage_all_home_content($2)
optional_policy(` optional_policy(`
systemd_read_user_manager_state($1, container_engine_user_domain) systemd_read_user_manager_state($1, container_engine_user_domain)
@ -301,8 +301,8 @@ template(`container_unconfined_role',`
container_admin_all_files($2) container_admin_all_files($2)
container_admin_all_ro_files($2) container_admin_all_ro_files($2)
container_admin_all_home_content($2)
container_admin_all_user_runtime_content($2) container_admin_all_user_runtime_content($2)
container_manage_all_home_content($2)
') ')
######################################## ########################################
@ -1106,12 +1106,9 @@ interface(`container_admin_all_files',`
type container_file_t; type container_file_t;
') ')
allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms }; admin_pattern($1, container_file_t, container_file_t)
allow $1 container_file_t:file { manage_file_perms relabel_file_perms }; allow $1 container_file_t:chr_file manage_chr_file_perms;
allow $1 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $1 container_file_t:blk_file manage_blk_file_perms;
allow $1 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $1 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
allow $1 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
') ')
######################################## ########################################
@ -1129,12 +1126,9 @@ interface(`container_admin_all_ro_files',`
type container_ro_file_t; type container_ro_file_t;
') ')
allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms }; admin_pattern($1, container_ro_file_t, container_ro_file_t)
allow $1 container_ro_file_t:file { manage_file_perms relabel_file_perms }; allow $1 container_ro_file_t:chr_file manage_chr_file_perms;
allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $1 container_ro_file_t:blk_file manage_blk_file_perms;
allow $1 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $1 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
allow $1 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
') ')
######################################## ########################################
@ -1154,10 +1148,7 @@ interface(`container_admin_all_user_runtime_content',`
type container_user_runtime_t; type container_user_runtime_t;
') ')
allow $1 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; admin_pattern($1, container_user_runtime_t, container_user_runtime_t)
allow $1 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
') ')
######################################## ########################################
@ -1172,7 +1163,7 @@ interface(`container_admin_all_user_runtime_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`container_admin_all_home_content',` interface(`container_manage_all_home_content',`
gen_require(` gen_require(`
type container_file_t, container_ro_file_t; type container_file_t, container_ro_file_t;
type container_cache_home_t, container_conf_home_t; type container_cache_home_t, container_conf_home_t;