container, kubernetes: add private type for generic container devices
/dev/termination-log is one such generic file created in containers' /dev filesystems. Add a private type for objects created in /dev for containers instead of using the generic device type. Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
9216a7a7f1
commit
3ae0575114
@ -856,6 +856,89 @@ interface(`container_signal_all_containers',`
|
||||
allow $1 container_domain:process signal_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in /dev with an automatic
|
||||
## transition to the container device type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object">
|
||||
## <summary>
|
||||
## The object class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
## <summary>
|
||||
## The name of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_dev_filetrans',`
|
||||
gen_require(`
|
||||
type container_device_t;
|
||||
')
|
||||
|
||||
dev_filetrans($1, container_device_t, $2, $3)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write container device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_rw_device_files',`
|
||||
gen_require(`
|
||||
type container_device_t;
|
||||
')
|
||||
|
||||
allow $1 container_device_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage container device files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_manage_device_files',`
|
||||
gen_require(`
|
||||
type container_device_t;
|
||||
')
|
||||
|
||||
allow $1 container_device_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount on all container devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_mounton_all_devices',`
|
||||
gen_require(`
|
||||
type container_device_t;
|
||||
')
|
||||
|
||||
allow $1 container_device_t:dir_file_class_set mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of container ptys.
|
||||
|
@ -158,6 +158,10 @@ optional_policy(`
|
||||
kubernetes_mountpoint(container_log_t)
|
||||
')
|
||||
|
||||
# generic devices created in container /dev filesystems
|
||||
type container_device_t;
|
||||
dev_node(container_device_t)
|
||||
|
||||
type container_devpts_t;
|
||||
term_pty(container_devpts_t)
|
||||
|
||||
@ -289,6 +293,7 @@ miscfiles_read_fonts(container_domain)
|
||||
|
||||
mta_dontaudit_read_spool_symlinks(container_domain)
|
||||
|
||||
container_rw_device_files(container_domain)
|
||||
container_use_container_ptys(container_domain)
|
||||
|
||||
tunable_policy(`container_manage_cgroup',`
|
||||
|
@ -91,6 +91,11 @@ kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain)
|
||||
|
||||
iptables_getattr_runtime_files(kubernetes_container_engine_domain)
|
||||
|
||||
# for /dev/termination-log and maybe other device types
|
||||
container_dev_filetrans(kubernetes_container_engine_domain, file)
|
||||
container_manage_device_files(kubernetes_container_engine_domain)
|
||||
container_mounton_all_devices(kubernetes_container_engine_domain)
|
||||
|
||||
container_use_container_ptys(kubernetes_container_engine_domain)
|
||||
|
||||
container_exec_plugins(kubernetes_container_engine_domain)
|
||||
|
Loading…
Reference in New Issue
Block a user