Policy for podman

######################################## ##

## Template for conmon domains. ##

## ##

## Prefix for generated types. ##

## ## ##

## Domain allowed to transition. ##

## # template(`podman_conmon_domain_template',` gen_require(` attribute conmon_domain; type conmon_exec_t; ') type $1_conmon_t, conmon_domain; application_domain($1_conmon_t, conmon_exec_t) domtrans_pattern($2, conmon_exec_t, $1_conmon_t) allow $2 $1_conmon_t:process signull; allow $2 $1_conmon_t:fifo_file setattr; allow $2 $1_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow $1_conmon_t $2:tcp_socket rw_stream_socket_perms; allow $1_conmon_t $2:unix_stream_socket rw_stream_socket_perms; allow $1_conmon_t $2:unix_dgram_socket rw_socket_perms; ps_process_pattern($1_conmon_t, $2) corecmd_search_bin($1_conmon_t) # conmon will execute crun/runc to create the container, # so transition back to the source domain when creating it container_generic_engine_domtrans($1_conmon_t, $2) container_engine_executable_entrypoint($2) ') ######################################## ##

## Execute podman in the podman domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`podman_domtrans',` gen_require(` type podman_t, podman_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, podman_exec_t, podman_t) ') ######################################## ##

## Execute podman in the podman domain, ## and allow the specified role the ## podman domain. ##

## ##

## Domain allowed to transition. ##

## ## ##

## The role to be allowed the podman domain. ##

## # interface(`podman_run',` gen_require(` type podman_t; ') role $2 types podman_t; podman_domtrans($1) ') ######################################## ##

## Execute podman in the podman user ## domain (rootless podman). ##

## ##

## Domain allowed to transition. ##

## # interface(`podman_domtrans_user',` gen_require(` type podman_user_t, podman_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, podman_exec_t, podman_user_t) ') ######################################## ##

## Execute podman in the podman user ## domain, and allow the specified role ## the podman user domain (rootless ## podman). ##

## ##

## Domain allowed to transition. ##

## ## ##

## The role to be allowed the podman domain. ##

## # interface(`podman_run_user',` gen_require(` type podman_user_t; ') role $2 types podman_user_t; podman_domtrans_user($1) ') ######################################## ##

## Execute conmon in the podman conmon domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`podman_domtrans_conmon',` gen_require(` type podman_conmon_t, conmon_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, conmon_exec_t, podman_conmon_t) ') ######################################## ##

## Execute conmon in the podman conmon ## domain, and allow the specified role ## the podman conmon domain. ##

## ##

## Domain allowed to transition. ##

## ## ##

## The role to be allowed the conmon domain. ##

## # interface(`podman_run_conmon',` gen_require(` type podman_conmon_t; ') role $2 types podman_conmon_t; podman_domtrans_conmon($1) ') ######################################## ##

## Execute conmon in the podman conmon ## user domain (rootless podman). ##

## ##

## Domain allowed to transition. ##

## # interface(`podman_domtrans_conmon_user',` gen_require(` type podman_user_conmon_t, conmon_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, conmon_exec_t, podman_user_conmon_t) ') ######################################## ##

## Execute conmon in the podman conmon ## user domain, and allow the specified ## role the podman conmon user domain ## (rootless podman). ##

## ##

## Domain allowed to transition. ##

## ## ##

## The role to be allowed the conmon domain. ##

## # interface(`podman_run_conmon_user',` gen_require(` type podman_user_conmon_t; ') role $2 types podman_user_conmon_t; podman_domtrans_conmon_user($1) ') ######################################## ##

## Make the specified domain perform a ## range transition when executing conmon. ##

## ##

## Domain to transition ranges. ##

## ## ##

## MLS range to transition to. ##

## # interface(`podman_spec_rangetrans_conmon',` gen_require(` type conmon_exec_t; ') ifdef(`enable_mcs',` range_transition $1 conmon_exec_t:process $2; ') ifdef(`enable_mls',` range_transition $1 conmon_exec_t:process $2; ') ') ######################################## ##

## Read and write conmon unnamed pipes. ##

## ##

## Domain allowed access. ##

## # interface(`podman_rw_conmon_pipes',` gen_require(` attribute conmon_domain; ') allow $1 conmon_domain:fifo_file rw_fifo_file_perms; ') ######################################## ##

## Allow the specified domain to inherit ## and use file descriptors from conmon. ##

## ##

## Domain allowed access. ##

## # interface(`podman_use_conmon_fds',` gen_require(` attribute conmon_domain; ') allow $1 conmon_domain:fd use; ') ######################################## ##

## Role access for rootless podman. ##

## ##

## The prefix of the user role (e.g., user ## is the prefix for user_r). ##

## ## ##

## User domain for the role. ##

## ## ##

## User exec domain for execute and transition access. ##

## ## ##

## Role allowed access. ##

## ## # template(`podman_user_role',` gen_require(` type podman_user_t; type podman_user_conmon_t; ') podman_run_user($3, $4) podman_run_conmon_user($3, $4) optional_policy(` dbus_spec_session_bus_client($1, podman_user_t) ') optional_policy(` systemd_user_app_status($1, podman_user_t) systemd_user_app_status($1, podman_user_conmon_t) ') ') ######################################## ##

## All of the rules required to ## administrate a podman ## environment. ##

## ##

## Domain allowed access. ##

## ## ##

## Role allowed access. ##

## ## # interface(`podman_admin',` podman_run($1, $2) podman_run_conmon($1, $2) ')