container, podman: initial support for podman

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/services/container.te

@@ -433,7 +433,7 @@ allow container_engine_domain container_ro_file_t:sock_file { manage_sock_file_p
 
 ifdef(`init_systemd',`
 	# needed by runc, which is also invoked by other engines
-	init_bpf_run(container_engine_domain)
+	init_run_bpf(container_engine_domain)
 ')
 
 optional_policy(`

policy/modules/services/podman.fc

@@ -0,0 +1 @@
+/usr/bin/podman	--	gen_context(system_u:object_r:podman_exec_t,s0)

policy/modules/services/podman.if

@@ -0,0 +1,69 @@
+## <summary>Policy for podman</summary>
+
+########################################
+## <summary>
+##	Execute podman in the podman domain.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`podman_domtrans',`
+	gen_require(`
+		type podman_t, podman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, podman_exec_t, podman_t)
+')
+
+########################################
+## <summary>
+##	Execute podman in the podman domain,
+##	and allow the specified role the
+##	podman domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the podman domain.
+##	</summary>
+## </param>
+#
+interface(`podman_run',`
+	gen_require(`
+		type podman_t;
+	')
+
+	role $2 types podman_t;
+
+	podman_domtrans($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate a podman
+##	environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`podman_admin',`
+	podman_run($1, $2)
+')

policy/modules/services/podman.te

@@ -0,0 +1,50 @@
+policy_module(podman)
+
+########################################
+#
+# Declarations
+#
+
+container_engine_domain_template(podman)
+container_system_engine(podman_t)
+type podman_exec_t;
+container_engine_executable_file(podman_exec_t)
+application_domain(podman_t, podman_exec_t)
+init_daemon_domain(podman_t, podman_exec_t)
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(podman_t, podman_exec_t, s0 - mls_systemhigh)
+')
+mls_trusted_object(podman_t)
+
+########################################
+#
+# Podman local policy
+#
+
+logging_send_syslog_msg(podman_t)
+
+userdom_list_user_home_content(podman_t)
+# allow podman to relabel content mounted inside containers
+# when run in rootless mode
+userdom_relabel_generic_user_home_dirs(podman_t)
+userdom_relabel_generic_user_home_files(podman_t)
+
+# when run by root, podman will fail to start if
+# /root/.config/containers is not readable
+container_config_home_filetrans(podman_t, dir)
+container_manage_home_config(podman_t)
+
+ifdef(`init_systemd',`
+	init_dbus_chat(podman_t)
+	init_setsched(podman_t)
+	init_get_generic_units_status(podman_t)
+	init_start_generic_units(podman_t)
+	init_start_system(podman_t)
+	init_stop_system(podman_t)
+
+	# podman can read logs from containers which are
+	# sent to the system journal
+	logging_search_logs(podman_t)
+	systemd_list_journal_dirs(podman_t)
+	systemd_read_journal_files(podman_t)
+')