container, init, systemd: add policy for quadlet

quadlet is a systemd generator provided by podman which generates runtime units from "template" container units. Signed-off-by: Kenton Groombridge <me@concord.sh>
2023-02-24 20:40:33 -05:00 · 2023-02-24 20:40:33 -05:00 · f27b6fcc5e
commit f27b6fcc5e
parent 86a7f884a5
4 changed files with 34 additions and 1 deletions
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@ -1073,6 +1073,26 @@ interface(`container_exec_plugins',`
 	can_exec($1, container_plugin_t)
 ')

+########################################
+## <summary>
+##	Allow the specified domain to
+##	search container config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_search_config',`
+	gen_require(`
+		type container_config_t;
+	')
+
+    files_search_etc($1)
+    allow $1 container_config_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@ -19,6 +19,11 @@ ifdef(`distro_gentoo',`
 #
 /dev/initctl		-p	gen_context(system_u:object_r:initctl_t,s0)

+#
+# /etc
+#
+/etc/containers/systemd(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
+
 #
 # /usr
 #
@ -36,6 +41,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/system(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/share/containers/systemd(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 /run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_transient_unit_t,s0)

 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@ -21,6 +21,7 @@
 /usr/lib/systemd/system-generators/.*							--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
 /usr/lib/systemd/user-environment-generators/.*					--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
 /usr/lib/systemd/user-generators/.*								--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)
+/usr/libexec/podman/quadlet										--	gen_context(system_u:object_r:systemd_generator_exec_t,s0)

 /usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)
 /usr/lib/systemd/systemd-backlight	--	gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@ -49,6 +50,7 @@
 /usr/lib/systemd/systemd-userwork	--	gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)

 # Systemd unit files
+HOME_DIR/\.config/containers/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)
 HOME_DIR/\.config/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)
 HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data_home_t,s0)

--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -478,7 +478,7 @@ seutil_search_default_contexts(systemd_coredump_t)

 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
 allow systemd_generator_t self:capability { dac_override sys_admin };
-allow systemd_generator_t self:process setfscreate;
+allow systemd_generator_t self:process { getsched setfscreate signal };

 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@ -546,6 +546,11 @@ optional_policy(`
 	cloudinit_getattr_state_files(systemd_generator_t)
 ')

+optional_policy(`
+	# for quadlet to access /etc/containers/systemd
+	container_search_config(systemd_generator_t)
+')
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')