container: fixup rules

Move a common container rule to the proper location, remove a redundant access, and make container files an entrypoint for containers. Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-12-31 15:53:15 -05:00 · 2021-12-31 15:53:15 -05:00 · a3cd63ca9a
commit a3cd63ca9a
parent 172446cf66
1 changed files with 3 additions and 3 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -41,9 +41,6 @@ manage_fifo_files_pattern(container_domain, container_file_t, container_file_t)
 rw_chr_files_pattern(container_domain, container_file_t, container_file_t)
 rw_blk_files_pattern(container_domain, container_file_t, container_file_t)

-allow container_t container_file_t:dir mounton;
-allow container_t container_file_t:filesystem getattr;
-
 can_exec(container_domain, container_file_t)

 kernel_getattr_proc(container_domain)
@ -132,6 +129,9 @@ allow container_t self:netlink_socket create_socket_perms;
 allow container_t self:netlink_tcpdiag_socket create_socket_perms;
 allow container_t self:netlink_kobject_uevent_socket create_socket_perms;

+allow container_t container_file_t:file entrypoint;
+allow container_t container_file_t:filesystem getattr;
+
 kernel_read_network_state(container_t)
 kernel_read_irq_sysctls(container_t)