container: rework combined role interfaces

Rename and rework slightly some of the newly added interfaces. Namely, make the "admin" interfaces use admin_pattern(). Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-05-20 10:58:25 -04:00 · 2022-05-20 10:58:25 -04:00 · 5a5df237b1
parent e9ff08a057
commit 5a5df237b1
1 changed files with 10 additions and 19 deletions
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@ -229,8 +229,8 @@ template(`container_user_role',`
 	allow $3 container_user_domain:process { ptrace signal_perms };
 	ps_process_pattern($3, container_user_domain)

-	container_admin_all_home_content($2)
 	container_admin_all_user_runtime_content($2)
+	container_manage_all_home_content($2)

 	optional_policy(`
 		systemd_read_user_manager_state($1, container_engine_user_domain)
@ -301,8 +301,8 @@ template(`container_unconfined_role',`
 	container_admin_all_files($2)
 	container_admin_all_ro_files($2)

-	container_admin_all_home_content($2)
 	container_admin_all_user_runtime_content($2)
+	container_manage_all_home_content($2)
 ')

 ########################################
@ -1106,12 +1106,9 @@ interface(`container_admin_all_files',`
 		type container_file_t;
 	')

-	allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $1 container_file_t:file { manage_file_perms relabel_file_perms };
-	allow $1 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $1 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $1 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $1 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+	admin_pattern($1, container_file_t, container_file_t)
+	allow $1 container_file_t:chr_file manage_chr_file_perms;
+	allow $1 container_file_t:blk_file manage_blk_file_perms;
 ')

 ########################################
@ -1129,12 +1126,9 @@ interface(`container_admin_all_ro_files',`
 		type container_ro_file_t;
 	')

-	allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $1 container_ro_file_t:file { manage_file_perms relabel_file_perms };
-	allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $1 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $1 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $1 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+	admin_pattern($1, container_ro_file_t, container_ro_file_t)
+	allow $1 container_ro_file_t:chr_file manage_chr_file_perms;
+	allow $1 container_ro_file_t:blk_file manage_blk_file_perms;
 ')

 ########################################
@ -1154,10 +1148,7 @@ interface(`container_admin_all_user_runtime_content',`
 		type container_user_runtime_t;
 	')

-	allow $1 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $1 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
-	allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	admin_pattern($1, container_user_runtime_t, container_user_runtime_t)
 ')

 ########################################
@ -1172,7 +1163,7 @@ interface(`container_admin_all_user_runtime_content',`
 ##	</summary>
 ## </param>
 #
-interface(`container_admin_all_home_content',`
+interface(`container_manage_all_home_content',`
 	gen_require(`
 		type container_file_t, container_ro_file_t;
 		type container_cache_home_t, container_conf_home_t;