From 21d7f4415e4648c6aa010efe5b1728f4d2d6fc2d Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 19 Jul 2022 19:29:16 +0000 Subject: [PATCH] Container: Minor fixes from interactive container use. Signed-off-by: Chris PeBenito --- policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++ policy/modules/kernel/kernel.te | 4 ++++ policy/modules/services/container.te | 7 ++++++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 709619868..817d223bf 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1016,6 +1016,25 @@ interface(`fs_watch_cgroup_files',` allow $1 cgroup_types:file watch; ') +######################################## +## +## Read cgroup symlnks. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_cgroup_symlinks',` + gen_require(` + type cgroup_t; + ') + + read_lnk_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + ######################################## ## ## Create cgroup lnk_files. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 6134d4c05..ae88f7fb9 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -99,6 +99,10 @@ type proc_kcore_t, proc_type; neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~{ getattr mounton }; genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) +optional_policy(` + container_mountpoint(proc_kcore_t) +') + optional_policy(` init_mountpoint(proc_kcore_t) ') diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 0b798993c..096d6c23d 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -606,6 +606,9 @@ allow container_engine_domain self:icmp_socket create_socket_perms; allow container_engine_domain self:netlink_route_socket create_netlink_socket_perms; allow container_engine_domain self:packet_socket create_socket_perms; +allow container_engine_domain container_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(container_engine_domain, container_devpts_t) + allow container_engine_domain container_port_t:tcp_socket name_bind; dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh }; @@ -670,6 +673,7 @@ fs_mount_xattr_fs(container_engine_domain) fs_remount_xattr_fs(container_engine_domain) fs_unmount_xattr_fs(container_engine_domain) fs_relabelfrom_xattr_fs(container_engine_domain) +fs_get_xattr_fs_quotas(container_engine_domain) fs_getattr_cgroup(container_engine_domain) fs_manage_cgroup_dirs(container_engine_domain) @@ -678,6 +682,7 @@ fs_watch_cgroup_files(container_engine_domain) fs_mount_cgroup(container_engine_domain) fs_remount_cgroup(container_engine_domain) fs_mounton_cgroup(container_engine_domain) +fs_read_cgroup_symlinks(container_engine_domain) fs_getattr_fusefs(container_engine_domain) fs_remount_fusefs(container_engine_domain) @@ -692,6 +697,7 @@ kernel_read_network_state(container_engine_domain) kernel_read_system_state(container_engine_domain) kernel_rw_net_sysctls(container_engine_domain) kernel_dontaudit_search_kernel_sysctl(container_engine_domain) +kernel_getattr_core_if(container_engine_domain) selinux_get_fs_mount(container_engine_domain) selinux_mount_fs(container_engine_domain) @@ -700,7 +706,6 @@ selinux_unmount_fs(container_engine_domain) seutil_read_config(container_engine_domain) seutil_read_default_contexts(container_engine_domain) -term_create_pty(container_engine_domain, container_devpts_t) term_mount_devpts(container_engine_domain) term_relabel_pty_fs(container_engine_domain)