RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-11 07:40:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

container: various fixes

Browse Source 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
This commit is contained in:
Kenton Groombridge 2023-12-17 19:47:31 -05:00
parent c3dbaf035c
commit d2f413c1b6
1 changed files with 15 additions and 1 deletions

16
policy/modules/services/container.te
View File

@ -221,6 +221,9 @@ type container_runtime_t;
files_runtime_file(container_runtime_t)
container_mountpoint(container_runtime_t)
type container_tmpfs_t;
files_tmpfs_file(container_tmpfs_t)
type container_log_t;
logging_log_file(container_log_t)
optional_policy(`
@ -302,6 +305,7 @@ rw_chr_files_pattern(container_domain, container_file_t, container_file_t)
rw_blk_files_pattern(container_domain, container_file_t, container_file_t)
allow container_domain container_file_t:dir_file_class_set watch;
allow container_domain container_file_t:file { entrypoint map };
allow container_domain container_file_t:chr_file map;
allow container_domain container_ro_file_t:blk_file read_blk_file_perms;
allow container_domain container_ro_file_t:dir list_dir_perms;
@ -310,6 +314,13 @@ allow container_domain container_ro_file_t:file { exec_file_perms read_file_perm
allow container_domain container_ro_file_t:lnk_file read_lnk_file_perms;
allow container_domain container_ro_file_t:sock_file read_sock_file_perms;
fs_tmpfs_filetrans(container_domain, container_tmpfs_t, { dir file fifo_file lnk_file sock_file })
manage_dirs_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
mmap_manage_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
manage_fifo_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
manage_lnk_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
manage_sock_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t)
can_exec(container_domain, container_file_t)
corecmd_watch_bin_dirs(container_domain)
@ -500,7 +511,7 @@ corenet_tcp_connect_all_ports(container_net_domain)
# Container local policy
#
allow container_t self:process setrlimit;
allow container_t self:process { getcap setrlimit };
allow container_t container_file_t:filesystem getattr;
@ -657,6 +668,9 @@ fs_mount_cgroup(container_engine_domain)
fs_remount_cgroup(container_engine_domain)
fs_mounton_cgroup(container_engine_domain)
fs_getattr_fusefs(container_engine_domain)
fs_remount_fusefs(container_engine_domain)
fs_list_hugetlbfs(container_engine_domain)
kernel_getattr_proc(container_engine_domain)