Merge pull request #482 from 0xC0ncord/podman-conmon-ranged-transition

podman: add explicit range transition for conmon
2022-03-18 15:30:53 -04:00 · 2022-03-18 15:30:53 -04:00 · 2f2c0e3f20
commit 2f2c0e3f20
parent c5add64587 fe7d5287c4
1 changed files with 16 additions and 0 deletions
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@ -190,6 +190,14 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
 container_manage_engine_tmp_files(podman_conmon_t)
 container_manage_engine_tmp_sock_files(podman_conmon_t)

+# Ensure conmon runs in s0 so that it can talk to the container
+ifdef(`enable_mcs',`
+	range_transition podman_t podman_conmon_exec_t:process s0;
+')
+ifdef(`enable_mls',`
+	range_transition podman_t podman_conmon_exec_t:process s0;
+')
+
 ifdef(`init_systemd',`
 	init_get_generic_units_status(podman_conmon_t)
 	init_start_generic_units(podman_conmon_t)
@ -261,6 +269,14 @@ container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })
 container_manage_engine_tmp_files(podman_conmon_user_t)
 container_manage_engine_tmp_sock_files(podman_conmon_user_t)

+# Ensure conmon runs in s0 so that it can talk to the container
+ifdef(`enable_mcs',`
+	range_transition podman_user_t podman_conmon_exec_t:process s0;
+')
+ifdef(`enable_mls',`
+	range_transition podman_user_t podman_conmon_exec_t:process s0;
+')
+
 ifdef(`init_systemd',`
 	# conmon can read logs from containers which are
 	# sent to the system journal