nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,297 Commits 1 Branch 0 Tags 16 MiB
800039c671
Commit Graph

6297 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kenton Groombridge
800039c671 docker: add missing call to init_daemon_domain() 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-30 18:09:12 -05:00
Chris PeBenito
242e371ac2
Merge pull request #469 from cgzones/selint 
Revert "tests.yml: Disable policy_module() selint checks."
 2022-01-30 09:12:10 -05:00
Christian Göttsche
0e06f23e07 Revert "tests.yml: Disable policy_module() selint checks." 
This reverts commit 5781a2393c.

SELint 1.2.1 supports the new policy_module syntax.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2022-01-30 14:27:08 +01:00
Chris PeBenito
f84770f5ce
Merge pull request #467 from 0xC0ncord/docker-rootlesskit-optional 
docker: make rootlesskit optional
 2022-01-24 20:44:22 -05:00
Kenton Groombridge
70836481d0 docker: make rootlesskit optional 
Avoid a potential build error and circular dependency by making
rootlesskit optional. Note that rootlesskit is still required in order
for rootless docker to function.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 17:39:10 -05:00
Chris PeBenito
dc2d89df05
Merge pull request #434 from 0xC0ncord/containers 
Add container module
 2022-01-24 14:01:18 -05:00
Kenton Groombridge
86b90b4bc7 container: allow containers to getsession 
Found to be required by a jellyfin container when testing.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:08:50 -05:00
Kenton Groombridge
f4d34fcc34 lxc_contexts: add ro_file and sandbox_lxc_process contexts 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
76f189a883 container: drop old commented rules 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
36289d588c docker: call rootlesskit access in docker access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
5105a4c344 container, docker, rootlesskit: add support for rootless docker 
Rootless docker runs as root in a user namespace. Because of this,
rootless docker containers will run as spc_user_t as docker cannot be
SELinux-aware in its own container.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
ad714e7c71 rootlesskit: new policy module 
Rootlesskit is required by rootless docker

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
256236f2a1 systemd: add supporting interfaces for user daemons 
Add an interface to allow systemd user daemons to use systemd notify and
an interface to write to the systemd user runtime named socket.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
4be52b7fb3 systemd: use stream socket perms in systemd_user_app_status 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
a3f32e322b systemd: allow systemd user managers to execute user bin files 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
3b144c0dec userdomain: add type for user bin files 
Add a type and allow execute access to executable files that may be
freely managed by users in their home directories. Although users may
normally execute anything labeled user_home_t, this type is intended to
be executed by user services such as the user's systemd --user instance.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
7dc0fb9438 container: call docker access in container access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
29ac8a3fcf container, docker: add initial support for docker 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
81d26ac72e kernel: add filetrans interface for unlabeled dirs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
52dc8d8a26 container, podman: add policy for conmon 
Make conmon run in a separate domain and allow podman types to
transition to it.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
34abc09255 xdg: add interface to search xdg data directories 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
321591144b container, iptables: dontaudit iptables rw on /ptmx 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
405d3aed7d container: add tunable to allow engines to mounton non security 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
e05d996f8e container: add tunables for containers to use nfs and cifs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
01e5c8e1fb container: add tunable for containers to manage cgroups 
systemd running inside containers needs to be able to manage cgroups.
Add this feature behind a tunable.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:45 -05:00
Kenton Groombridge
4aca3bab15 container: allow containers to read read-only container files 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:44 -05:00
Kenton Groombridge
e272db844c container: add policy for privileged containers 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
cf5b35795b staff, unconfined: allow container user access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
819cef6a76 container: call podman access in container access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
093e280e77 sysadm: allow container admin access 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
7a0b01bd2a container: add required admin rules 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
526dd08ff3 container, podman, systemd: initial support for rootless podman 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
e55a346fc2 container: add role access templates 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
31e614f7f1 systemd: add private type for systemd user manager units 
Make user@.service (systemd --user) units a private type. This is in
support of container engines which may want to restart the unit, and we
can allow this access without allowing other generic units to be
interacted with.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
b3e42c3f15 dbus: add supporting interfaces and rules for rootless podman 
Add interfaces to getattr and write to the session dbus socket. Also
dontaudit managing the ptrace capability in user namespaces.

Lastly, allow session dbus daemons to get the attributes of the cgroup
filesystem and the proc filesystem.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
c998839e98 filesystem: add supporting FUSEFS interfaces 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
83df290da3 container, podman: initial support for podman 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
678242b878 container: allow containers to watch all container files 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
10262cdae8 container: allow containers various userns capabilities 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
d098ffc59d container: allow containers the chroot capability 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
cec7f0d3e2 various: various userns capability permissions 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
8d5d89c1e6 container, mount: allow mount to getattr on container fs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
6a1052077f container: allow containers to use container ptys 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
262cee592b container, gpg, userdom: allow container engines to execute gpg 
Container engines need to be able to execute gpg in order to verify
container image signatures if they are signed.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:02 -05:00
Kenton Groombridge
ed054cc543 container: initial support for container engines 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-24 11:07:01 -05:00
Kenton Groombridge
ab36308baa container: add base attributes for containers and container engines 
And split container network access to container_net_domain

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:36 -05:00
Kenton Groombridge
8d904bb54f various: make various types a mountpoint for containers 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:35 -05:00
Kenton Groombridge
5f86d07ddc container: add interface to identify container mountpoints 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:34 -05:00
Kenton Groombridge
a3cd63ca9a container: fixup rules 
Move a common container rule to the proper location, remove a redundant
access, and make container files an entrypoint for containers.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:33 -05:00
Kenton Groombridge
172446cf66 container: svirt_lxc_net_t is now container_t 
svirt_lxc_domain is now container_domain and svirt_lxc_net_t is now
container_t.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-01-21 15:03:32 -05:00