container, podman: initial support for podman
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
678242b878
commit
83df290da3
|
@ -433,7 +433,7 @@ allow container_engine_domain container_ro_file_t:sock_file { manage_sock_file_p
|
|||
|
||||
ifdef(`init_systemd',`
|
||||
# needed by runc, which is also invoked by other engines
|
||||
init_bpf_run(container_engine_domain)
|
||||
init_run_bpf(container_engine_domain)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
/usr/bin/podman -- gen_context(system_u:object_r:podman_exec_t,s0)
|
|
@ -0,0 +1,69 @@
|
|||
## <summary>Policy for podman</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute podman in the podman domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`podman_domtrans',`
|
||||
gen_require(`
|
||||
type podman_t, podman_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, podman_exec_t, podman_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute podman in the podman domain,
|
||||
## and allow the specified role the
|
||||
## podman domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the podman domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`podman_run',`
|
||||
gen_require(`
|
||||
type podman_t;
|
||||
')
|
||||
|
||||
role $2 types podman_t;
|
||||
|
||||
podman_domtrans($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to
|
||||
## administrate a podman
|
||||
## environment.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`podman_admin',`
|
||||
podman_run($1, $2)
|
||||
')
|
|
@ -0,0 +1,50 @@
|
|||
policy_module(podman)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
container_engine_domain_template(podman)
|
||||
container_system_engine(podman_t)
|
||||
type podman_exec_t;
|
||||
container_engine_executable_file(podman_exec_t)
|
||||
application_domain(podman_t, podman_exec_t)
|
||||
init_daemon_domain(podman_t, podman_exec_t)
|
||||
ifdef(`enable_mls',`
|
||||
init_ranged_daemon_domain(podman_t, podman_exec_t, s0 - mls_systemhigh)
|
||||
')
|
||||
mls_trusted_object(podman_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Podman local policy
|
||||
#
|
||||
|
||||
logging_send_syslog_msg(podman_t)
|
||||
|
||||
userdom_list_user_home_content(podman_t)
|
||||
# allow podman to relabel content mounted inside containers
|
||||
# when run in rootless mode
|
||||
userdom_relabel_generic_user_home_dirs(podman_t)
|
||||
userdom_relabel_generic_user_home_files(podman_t)
|
||||
|
||||
# when run by root, podman will fail to start if
|
||||
# /root/.config/containers is not readable
|
||||
container_config_home_filetrans(podman_t, dir)
|
||||
container_manage_home_config(podman_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_dbus_chat(podman_t)
|
||||
init_setsched(podman_t)
|
||||
init_get_generic_units_status(podman_t)
|
||||
init_start_generic_units(podman_t)
|
||||
init_start_system(podman_t)
|
||||
init_stop_system(podman_t)
|
||||
|
||||
# podman can read logs from containers which are
|
||||
# sent to the system journal
|
||||
logging_search_logs(podman_t)
|
||||
systemd_list_journal_dirs(podman_t)
|
||||
systemd_read_journal_files(podman_t)
|
||||
')
|
Loading…
Reference in New Issue