podman, selinux: move lines, add missing rules for --network=host
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
1aab07e154
commit
181077dd47
@ -200,6 +200,25 @@ interface(`selinux_dontaudit_getattr_fs',`
|
||||
dev_dontaudit_search_sysfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of the selinuxfs
|
||||
## directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_getattr_dirs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
@ -276,6 +295,24 @@ interface(`selinux_dontaudit_read_fs',`
|
||||
dontaudit $1 security_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount on the selinuxfs directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_mounton_dirs',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
allow $1 security_t:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows the caller to get the mode of policy enforcement
|
||||
|
@ -39,9 +39,9 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
|
||||
|
||||
allow podman_t podman_conmon_t:process setsched;
|
||||
|
||||
# podman creates OCI networking configs and will
|
||||
# remove them when running podman system reset
|
||||
container_manage_config_files(podman_t)
|
||||
# for --network=host
|
||||
selinux_getattr_dirs(podman_t)
|
||||
selinux_mounton_dirs(podman_t)
|
||||
|
||||
logging_send_syslog_msg(podman_t)
|
||||
|
||||
@ -51,6 +51,10 @@ userdom_list_user_home_content(podman_t)
|
||||
userdom_relabel_generic_user_home_dirs(podman_t)
|
||||
userdom_relabel_generic_user_home_files(podman_t)
|
||||
|
||||
# podman creates OCI networking configs and will
|
||||
# remove them when running podman system reset
|
||||
container_manage_config_files(podman_t)
|
||||
|
||||
# when run by root, podman will fail to start if
|
||||
# /root/.config/containers is not readable
|
||||
container_config_home_filetrans(podman_t, dir)
|
||||
|
Loading…
Reference in New Issue
Block a user