[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sun, 30 Jan 2022 01:22:54
Message-Id:	`1643505162.12977dbcd922fd1bc6175ed523033d08133e7718.perfinion@gentoo`

1

commit:     12977dbcd922fd1bc6175ed523033d08133e7718

2

Author:     Kenton Groombridge <me <AT> concord <DOT> sh>

3

AuthorDate: Fri Dec 31 19:47:00 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Jan 30 01:12:42 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=12977dbc

7

8

container, podman: add policy for conmon

9

10

Make conmon run in a separate domain and allow podman types to

11

transition to it.

12

13

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>

14

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

15

16

 policy/modules/services/container.if | 406 +++++++++++++++++++++++++++++++++++

17

 policy/modules/services/podman.fc    |   1 +

18

 policy/modules/services/podman.if    |  98 +++++++++

19

 policy/modules/services/podman.te    | 162 +++++++++++++-

20

 4 files changed, 665 insertions(+), 2 deletions(-)

21

22

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if

23

index 92b5a2f7..1c1950c7 100644

24

--- a/policy/modules/services/container.if

25

+++ b/policy/modules/services/container.if

26

@@ -356,6 +356,52 @@ interface(`container_engine_executable_file',`

27

 	application_executable_file($1)

28

')

29

30

+########################################

31

+## <summary>

32

+##	Execute a generic container engine

33

+##	executable with an automatic transition

34

+##	to a private type.

35

+## </summary>

36

+## <param name="domain">

37

+##	<summary>

38

+##	Domain allowed to transition.

39

+##	</summary>

40

+## </param>

41

+## <param name="target_domain">

42

+##	<summary>

43

+##	The type of the new process.

44

+##	</summary>

45

+## </param>

46

+#

47

+interface(`container_generic_engine_domtrans',`

48

+	gen_require(`

49

+		type container_engine_exec_t;

50

+	')

51

+

52

+	corecmd_search_bin($1)

53

+	domtrans_pattern($1, container_engine_exec_t, $2)

54

+')

55

+

56

+########################################

57

+## <summary>

58

+##	Allow the generic container engine

59

+##	executables to be an entrypoint

60

+##	for the specified domain.

61

+## </summary>

62

+## <param name="domain">

63

+##	<summary>

64

+##	Domain allowed access.

65

+##	</summary>

66

+## </param>

67

+#

68

+interface(`container_engine_executable_entrypoint',`

69

+	gen_require(`

70

+		type container_engine_exec_t;

71

+	')

72

+

73

+	allow $1 container_engine_exec_t:file entrypoint;

74

+')

75

+

76

 ########################################

77

 ## <summary>

78

 ##	Send and receive messages from

79

@@ -377,6 +423,115 @@ interface(`container_engine_dbus_chat',`

80

 	allow container_engine_domain $1:dbus send_msg;

81

')

82

83

+########################################

84

+## <summary>

85

+##	Allow the specified domain to manage

86

+##	container engine temporary files.

87

+## </summary>

88

+## <param name="domain">

89

+##	<summary>

90

+##	Domain allowed access.

91

+##	</summary>

92

+## </param>

93

+#

94

+interface(`container_manage_engine_tmp_files',`

95

+	gen_require(`

96

+		type container_engine_tmp_t;

97

+	')

98

+

99

+	files_search_tmp($1)

100

+	allow $1 container_engine_tmp_t:file manage_file_perms;

101

+')

102

+

103

+########################################

104

+## <summary>

105

+##	Allow the specified domain to manage

106

+##	container engine temporary named sockets.

107

+## </summary>

108

+## <param name="domain">

109

+##	<summary>

110

+##	Domain allowed access.

111

+##	</summary>

112

+## </param>

113

+#

114

+interface(`container_manage_engine_tmp_sock_files',`

115

+	gen_require(`

116

+		type container_engine_tmp_t;

117

+	')

118

+

119

+	files_search_tmp($1)

120

+	allow $1 container_engine_tmp_t:sock_file manage_sock_file_perms;

121

+')

122

+

123

+########################################

124

+## <summary>

125

+##	Allow the specified domain to create

126

+##	objects in generic temporary directories

127

+##	with an automatic type transition to

128

+##	the container engine temporary file type.

129

+## </summary>

130

+## <param name="domain">

131

+##	<summary>

132

+##	Domain allowed access.

133

+##	</summary>

134

+## </param>

135

+## <param name="object">

136

+##	<summary>

137

+##	The object class of the object being created.

138

+##	</summary>

139

+## </param>

140

+## <param name="name" optional="true">

141

+##	<summary>

142

+##	The name of the object being created.

143

+##	</summary>

144

+## </param>

145

+#

146

+interface(`container_engine_tmp_filetrans',`

147

+	gen_require(`

148

+		type container_engine_tmp_t;

149

+	')

150

+

151

+	files_tmp_filetrans($1, container_engine_tmp_t, $2, $3)

152

+')

153

+

154

+########################################

155

+## <summary>

156

+##	Read the process state (/proc/pid)

157

+##	of all system containers.

158

+## </summary>

159

+## <param name="domain">

160

+##	<summary>

161

+##	Domain allowed access.

162

+##	</summary>

163

+## </param>

164

+#

165

+interface(`container_read_system_container_state',`

166

+	gen_require(`

167

+		attribute container_system_domain;

168

+	')

169

+

170

+	ps_process_pattern($1, container_system_domain)

171

+')

172

+

173

+########################################

174

+## <summary>

175

+##	Read the process state (/proc/pid)

176

+##	of all user containers.

177

+## </summary>

178

+## <param name="domain">

179

+##	<summary>

180

+##	Domain allowed access.

181

+##	</summary>

182

+## </param>

183

+#

184

+interface(`container_read_user_container_state',`

185

+	gen_require(`

186

+		attribute container_user_domain;

187

+	')

188

+

189

+	ps_process_pattern($1, container_user_domain)

190

+')

191

+

192

 ########################################

193

 ## <summary>

194

 ##	All of the permissions necessary

195

@@ -611,6 +766,25 @@ interface(`container_manage_sock_files',`

196

 	manage_sock_files_pattern($1, container_file_t, container_file_t)

197

')

198

199

+########################################

200

+## <summary>

201

+##	Allow the specified domain to read

202

+##	and write container chr files.

203

+## </summary>

204

+## <param name="domain">

205

+##	<summary>

206

+##	Domain allowed access.

207

+##	</summary>

208

+## </param>

209

+#

210

+interface(`container_rw_chr_files',`

211

+	gen_require(`

212

+		type container_file_t;

213

+	')

214

+

215

+	allow $1 container_file_t:chr_file rw_chr_file_perms;

216

+')

217

+

218

 ########################################

219

 ## <summary>

220

 ##	Do not audit attempts to read

221

@@ -701,6 +875,65 @@ interface(`container_config_home_filetrans',`

222

 	xdg_config_filetrans($1, container_conf_home_t, $2, $3)

223

')

224

225

+########################################

226

+## <summary>

227

+##	Allow the specified domain to

228

+##	manage container data home files.

229

+## </summary>

230

+## <param name="domain">

231

+##	<summary>

232

+##	Domain allowed access.

233

+##	</summary>

234

+## </param>

235

+#

236

+interface(`container_manage_home_data_files',`

237

+	gen_require(`

238

+		type container_data_home_t;

239

+	')

240

+

241

+	manage_files_pattern($1, container_data_home_t, container_data_home_t)

242

+')

243

+

244

+########################################

245

+## <summary>

246

+##	Allow the specified domain to

247

+##	manage container data home named

248

+##	pipes.

249

+## </summary>

250

+## <param name="domain">

251

+##	<summary>

252

+##	Domain allowed access.

253

+##	</summary>

254

+## </param>

255

+#

256

+interface(`container_manage_home_data_fifo_files',`

257

+	gen_require(`

258

+		type container_data_home_t;

259

+	')

260

+

261

+	manage_fifo_files_pattern($1, container_data_home_t, container_data_home_t)

262

+')

263

+

264

+########################################

265

+## <summary>

266

+##	Allow the specified domain to

267

+##	manage container data home named

268

+##	sockets.

269

+## </summary>

270

+## <param name="domain">

271

+##	<summary>

272

+##	Domain allowed access.

273

+##	</summary>

274

+## </param>

275

+#

276

+interface(`container_manage_home_data_sock_files',`

277

+	gen_require(`

278

+		type container_data_home_t;

279

+	')

280

+

281

+	manage_sock_files_pattern($1, container_data_home_t, container_data_home_t)

282

+')

283

+

284

 ########################################

285

 ## <summary>

286

 ##	Allow the specified domain to

287

@@ -760,6 +993,179 @@ interface(`container_getattr_fs',`

288

 	allow $1 container_file_t:filesystem getattr;

289

')

290

291

+########################################

292

+## <summary>

293

+##	Allow the specified domain to search

294

+##	runtime container directories.

295

+## </summary>

296

+## <param name="domain">

297

+##	<summary>

298

+##	Domain allowed access.

299

+##	</summary>

300

+## </param>

301

+#

302

+interface(`container_search_runtime',`

303

+	gen_require(`

304

+		type container_runtime_t;

305

+	')

306

+

307

+	files_search_runtime($1)

308

+	allow $1 container_runtime_t:dir search_dir_perms;

309

+')

310

+

311

+########################################

312

+## <summary>

313

+##	Allow the specified domain to manage

314

+##	runtime container files.

315

+## </summary>

316

+## <param name="domain">

317

+##	<summary>

318

+##	Domain allowed access.

319

+##	</summary>

320

+## </param>

321

+#

322

+interface(`container_manage_runtime_files',`

323

+	gen_require(`

324

+		type container_runtime_t;

325

+	')

326

+

327

+	manage_files_pattern($1, container_runtime_t, container_runtime_t)

328

+')

329

+

330

+########################################

331

+## <summary>

332

+##	Allow the specified domain to manage

333

+##	runtime container named pipes.

334

+## </summary>

335

+## <param name="domain">

336

+##	<summary>

337

+##	Domain allowed access.

338

+##	</summary>

339

+## </param>

340

+#

341

+interface(`container_manage_runtime_fifo_files',`

342

+	gen_require(`

343

+		type container_runtime_t;

344

+	')

345

+

346

+	manage_fifo_files_pattern($1, container_runtime_t, container_runtime_t)

347

+')

348

+

349

+########################################

350

+## <summary>

351

+##	Allow the specified domain to manage

352

+##	runtime container named sockets.

353

+## </summary>

354

+## <param name="domain">

355

+##	<summary>

356

+##	Domain allowed access.

357

+##	</summary>

358

+## </param>

359

+#

360

+interface(`container_manage_runtime_sock_files',`

361

+	gen_require(`

362

+		type container_runtime_t;

363

+	')

364

+

365

+	manage_sock_files_pattern($1, container_runtime_t, container_runtime_t)

366

+')

367

+

368

+########################################

369

+## <summary>

370

+##	Allow the specified domain to manage

371

+##	user runtime container files.

372

+## </summary>

373

+## <param name="domain">

374

+##	<summary>

375

+##	Domain allowed access.

376

+##	</summary>

377

+## </param>

378

+#

379

+interface(`container_manage_user_runtime_files',`

380

+	gen_require(`

381

+		type container_user_runtime_t;

382

+	')

383

+

384

+	manage_files_pattern($1, container_user_runtime_t, container_user_runtime_t)

385

+')

386

+

387

+########################################

388

+## <summary>

389

+##	Allow the specified domain to search

390

+##	container directories in /var/lib.

391

+## </summary>

392

+## <param name="domain">

393

+##	<summary>

394

+##	Domain allowed access.

395

+##	</summary>

396

+## </param>

397

+#

398

+interface(`container_search_var_lib',`

399

+	gen_require(`

400

+		type container_var_lib_t;

401

+	')

402

+

403

+	files_search_var_lib($1)

404

+	allow $1 container_var_lib_t:dir search_dir_perms;

405

+')

406

+

407

+########################################

408

+## <summary>

409

+##	Allow the specified domain to manage

410

+##	container files in /var/lib.

411

+## </summary>

412

+## <param name="domain">

413

+##	<summary>

414

+##	Domain allowed access.

415

+##	</summary>

416

+## </param>

417

+#

418

+interface(`container_manage_var_lib_files',`

419

+	gen_require(`

420

+		type container_var_lib_t;

421

+	')

422

+

423

+	manage_files_pattern($1, container_var_lib_t, container_var_lib_t)

424

+')

425

+

426

+########################################

427

+## <summary>

428

+##	Allow the specified domain to manage

429

+##	container named pipes in /var/lib.

430

+## </summary>

431

+## <param name="domain">

432

+##	<summary>

433

+##	Domain allowed access.

434

+##	</summary>

435

+## </param>

436

+#

437

+interface(`container_manage_var_lib_fifo_files',`

438

+	gen_require(`

439

+		type container_var_lib_t;

440

+	')

441

+

442

+	manage_fifo_files_pattern($1, container_var_lib_t, container_var_lib_t)

443

+')

444

+

445

+########################################

446

+## <summary>

447

+##	Allow the specified domain to manage

448

+##	container named sockets in /var/lib.

449

+## </summary>

450

+## <param name="domain">

451

+##	<summary>

452

+##	Domain allowed access.

453

+##	</summary>

454

+## </param>

455

+#

456

+interface(`container_manage_var_lib_sock_files',`

457

+	gen_require(`

458

+		type container_var_lib_t;

459

+	')

460

+

461

+	manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t)

462

+')

463

+

464

 ########################################

465

 ## <summary>

466

 ##	All of the rules required to

467

468

diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc

469

index fbf11fed..ece2d0dc 100644

470

--- a/policy/modules/services/podman.fc

471

+++ b/policy/modules/services/podman.fc

472

@@ -1 +1,2 @@

473

 /usr/bin/podman	--	gen_context(system_u:object_r:podman_exec_t,s0)

474

+/usr/bin/conmon	--	gen_context(system_u:object_r:podman_conmon_exec_t,s0)

475

476

diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if

477

index a57ca9dc..3d03884e 100644

478

--- a/policy/modules/services/podman.if

479

+++ b/policy/modules/services/podman.if

480

@@ -94,6 +94,100 @@ interface(`podman_run_user',`

481

 	podman_domtrans_user($1)

482

')

483

484

+########################################

485

+## <summary>

486

+##	Execute conmon in the conmon domain.

487

+## </summary>

488

+## <param name="domain">

489

+## 	<summary>

490

+##	Domain allowed to transition.

491

+## 	</summary>

492

+## </param>

493

+#

494

+interface(`podman_domtrans_conmon',`

495

+	gen_require(`

496

+		type podman_conmon_t, podman_conmon_exec_t;

497

+	')

498

+

499

+	corecmd_search_bin($1)

500

+	domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t)

501

+')

502

+

503

+########################################

504

+## <summary>

505

+##	Execute conmon in the conmon domain,

506

+##	and allow the specified role the

507

+##	conmon domain.

508

+## </summary>

509

+## <param name="domain">

510

+##	<summary>

511

+##	Domain allowed to transition.

512

+##	</summary>

513

+## </param>

514

+## <param name="role">

515

+##	<summary>

516

+##	The role to be allowed the conmon domain.

517

+##	</summary>

518

+## </param>

519

+#

520

+interface(`podman_run_conmon',`

521

+	gen_require(`

522

+		type podman_conmon_t;

523

+	')

524

+

525

+	role $2 types podman_conmon_t;

526

+

527

+	podman_domtrans_conmon($1)

528

+')

529

+

530

+########################################

531

+## <summary>

532

+##	Execute conmon in the conmon user

533

+##	domain (rootless podman).

534

+## </summary>

535

+## <param name="domain">

536

+## 	<summary>

537

+##	Domain allowed to transition.

538

+## 	</summary>

539

+## </param>

540

+#

541

+interface(`podman_domtrans_conmon_user',`

542

+	gen_require(`

543

+		type podman_conmon_user_t, podman_conmon_exec_t;

544

+	')

545

+

546

+	corecmd_search_bin($1)

547

+	domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t)

548

+')

549

+

550

+########################################

551

+## <summary>

552

+##	Execute conmon in the conmon user

553

+##	domain, and allow the specified role

554

+##	the conmon user domain (rootless

555

+##	podman).

556

+## </summary>

557

+## <param name="domain">

558

+##	<summary>

559

+##	Domain allowed to transition.

560

+##	</summary>

561

+## </param>

562

+## <param name="role">

563

+##	<summary>

564

+##	The role to be allowed the conmon domain.

565

+##	</summary>

566

+## </param>

567

+#

568

+interface(`podman_run_conmon_user',`

569

+	gen_require(`

570

+		type podman_conmon_user_t;

571

+	')

572

+

573

+	role $2 types podman_conmon_user_t;

574

+

575

+	podman_domtrans_conmon_user($1)

576

+')

577

+

578

 ########################################

579

 ## <summary>

580

 ##	Role access for rootless podman.

581

@@ -124,9 +218,11 @@ interface(`podman_run_user',`

582

 template(`podman_user_role',`

583

 	gen_require(`

584

 		type podman_user_t;

585

+		type podman_conmon_user_t;

586

')

587

588

 	podman_run_user($3, $4)

589

+	podman_run_conmon_user($3, $4)

590

591

 	optional_policy(`

592

 		dbus_spec_session_bus_client($1, podman_user_t)

593

@@ -134,6 +230,7 @@ template(`podman_user_role',`

594

595

 	optional_policy(`

596

 		systemd_user_app_status($1, podman_user_t)

597

+		systemd_user_app_status($1, podman_conmon_user_t)

598

')

599

')

600

601

@@ -157,4 +254,5 @@ template(`podman_user_role',`

602

#

603

 interface(`podman_admin',`

604

 	podman_run($1, $2)

605

+	podman_run_conmon($1, $2)

606

')

607

608

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te

609

index 2bdd2f27..6efd2cd1 100644

610

--- a/policy/modules/services/podman.te

611

+++ b/policy/modules/services/podman.te

612

@@ -17,14 +17,30 @@ ifdef(`enable_mls',`

613

 mls_trusted_object(podman_t)

614

615

 container_engine_domain_template(podman_user)

616

+container_user_engine(podman_user_t)

617

 application_domain(podman_user_t, podman_exec_t)

618

 mls_trusted_object(podman_user_t)

619

620

+type podman_conmon_t;

621

+type podman_conmon_exec_t;

622

+application_domain(podman_conmon_t, podman_conmon_exec_t)

623

+

624

+type podman_conmon_user_t;

625

+application_domain(podman_conmon_user_t, podman_conmon_exec_t)

626

+

627

 ########################################

628

#

629

 # Podman local policy

630

#

631

632

+allow podman_t podman_conmon_t:process { setsched signull };

633

+allow podman_t podman_conmon_t:fifo_file setattr;

634

+allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms };

635

+

636

+container_engine_executable_entrypoint(podman_t)

637

+

638

+domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)

639

+

640

 logging_send_syslog_msg(podman_t)

641

642

 userdom_list_user_home_content(podman_t)

643

@@ -38,11 +54,11 @@ userdom_relabel_generic_user_home_files(podman_t)

644

 container_config_home_filetrans(podman_t, dir)

645

 container_manage_home_config(podman_t)

646

647

+container_manage_sock_files(podman_t)

648

+

649

 ifdef(`init_systemd',`

650

 	init_dbus_chat(podman_t)

651

 	init_setsched(podman_t)

652

-	init_get_generic_units_status(podman_t)

653

-	init_start_generic_units(podman_t)

654

 	init_start_system(podman_t)

655

 	init_stop_system(podman_t)

656

657

@@ -58,6 +74,14 @@ ifdef(`init_systemd',`

658

 # Rootless Podman local policy

659

#

660

661

+allow podman_user_t podman_conmon_user_t:process signull;

662

+allow podman_user_t podman_conmon_user_t:fifo_file setattr;

663

+allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto rw_stream_socket_perms };

664

+

665

+container_engine_executable_entrypoint(podman_user_t)

666

+

667

+domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t)

668

+

669

 # required by slirp4netns

670

 files_mounton_etc_dirs(podman_user_t)

671

 # required by slirp4netns

672

@@ -110,3 +134,137 @@ ifdef(`init_systemd',`

673

 	systemd_list_journal_dirs(podman_user_t)

674

 	systemd_read_journal_files(podman_user_t)

675

')

676

+

677

+########################################

678

+#

679

+# conmon local policy

680

+#

681

+

682

+allow podman_conmon_t self:process signal;

683

+allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };

684

+allow podman_conmon_t self:cap_userns sys_ptrace;

685

+allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr };

686

+allow podman_conmon_t self:unix_dgram_socket create_socket_perms;

687

+dontaudit podman_conmon_t self:capability net_admin;

688

+

689

+# conmon will execute crun/runc to create the container

690

+container_generic_engine_domtrans(podman_conmon_t, podman_t)

691

+podman_domtrans(podman_conmon_t)

692

+

693

+allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms;

694

+allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms;

695

+allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms;

696

+ps_process_pattern(podman_conmon_t, podman_t)

697

+

698

+domain_use_interactive_fds(podman_conmon_t)

699

+

700

+fs_getattr_cgroup(podman_conmon_t)

701

+fs_search_cgroup_dirs(podman_conmon_t)

702

+fs_read_cgroup_files(podman_conmon_t)

703

+fs_watch_cgroup_files(podman_conmon_t)

704

+

705

+fs_getattr_tmpfs(podman_conmon_t)

706

+fs_getattr_xattr_fs(podman_conmon_t)

707

+

708

+logging_send_syslog_msg(podman_conmon_t)

709

+

710

+miscfiles_read_localization(podman_conmon_t)

711

+

712

+userdom_use_user_ptys(podman_conmon_t)

713

+

714

+container_read_system_container_state(podman_conmon_t)

715

+

716

+# to send/receive data from container ttys

717

+container_rw_chr_files(podman_conmon_t)

718

+

719

+container_manage_runtime_files(podman_conmon_t)

720

+container_manage_runtime_fifo_files(podman_conmon_t)

721

+container_manage_runtime_sock_files(podman_conmon_t)

722

+

723

+container_search_var_lib(podman_conmon_t)

724

+container_manage_var_lib_files(podman_conmon_t)

725

+container_manage_var_lib_fifo_files(podman_conmon_t)

726

+container_manage_var_lib_sock_files(podman_conmon_t)

727

+

728

+container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })

729

+container_manage_engine_tmp_files(podman_conmon_t)

730

+container_manage_engine_tmp_sock_files(podman_conmon_t)

731

+

732

+ifdef(`init_systemd',`

733

+	init_get_generic_units_status(podman_conmon_t)

734

+	init_start_generic_units(podman_conmon_t)

735

+	init_start_system(podman_conmon_t)

736

+	init_stop_system(podman_conmon_t)

737

+

738

+	# conmon can read logs from containers which are

739

+	# sent to the system journal

740

+	logging_search_logs(podman_conmon_t)

741

+	systemd_list_journal_dirs(podman_conmon_t)

742

+	systemd_read_journal_files(podman_conmon_t)

743

+')

744

+

745

+optional_policy(`

746

+	iptables_domtrans(podman_conmon_t)

747

+')

748

+

749

+########################################

750

+#

751

+# Rootless conmon local policy

752

+#

753

+

754

+allow podman_conmon_user_t self:process signal;

755

+allow podman_conmon_user_t self:cap_userns sys_ptrace;

756

+allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr };

757

+allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms;

758

+

759

+ps_process_pattern(podman_conmon_user_t, podman_user_t)

760

+allow podman_conmon_user_t podman_user_t:process signal;

761

+allow podman_conmon_user_t podman_user_t:unix_stream_socket rw_stream_socket_perms;

762

+allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms;

763

+

764

+# conmon will execute crun/runc to create the container

765

+container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t)

766

+podman_domtrans_user(podman_conmon_user_t)

767

+

768

+domain_use_interactive_fds(podman_conmon_user_t)

769

+

770

+fs_getattr_cgroup(podman_conmon_user_t)

771

+fs_search_cgroup_dirs(podman_conmon_user_t)

772

+fs_read_cgroup_files(podman_conmon_user_t)

773

+fs_watch_cgroup_files(podman_conmon_user_t)

774

+

775

+fs_getattr_tmpfs(podman_conmon_user_t)

776

+fs_getattr_xattr_fs(podman_conmon_user_t)

777

+

778

+logging_send_syslog_msg(podman_conmon_user_t)

779

+

780

+miscfiles_read_localization(podman_conmon_user_t)

781

+

782

+userdom_use_user_ptys(podman_conmon_user_t)

783

+

784

+container_read_user_container_state(podman_conmon_user_t)

785

+

786

+# to send/receive data from container ttys

787

+container_rw_chr_files(podman_conmon_user_t)

788

+

789

+userdom_search_user_home_dirs(podman_conmon_user_t)

790

+xdg_search_data_dirs(podman_conmon_user_t)

791

+container_manage_home_data_files(podman_conmon_user_t)

792

+container_manage_home_data_fifo_files(podman_conmon_user_t)

793

+container_manage_home_data_sock_files(podman_conmon_user_t)

794

+

795

+userdom_search_user_runtime_root(podman_conmon_user_t)

796

+userdom_search_user_runtime(podman_conmon_user_t)

797

+container_manage_user_runtime_files(podman_conmon_user_t)

798

+

799

+container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })

800

+container_manage_engine_tmp_files(podman_conmon_user_t)

801

+container_manage_engine_tmp_sock_files(podman_conmon_user_t)

802

+

803

+ifdef(`init_systemd',`

804

+	# conmon can read logs from containers which are

805

+	# sent to the system journal

806

+	logging_search_logs(podman_conmon_user_t)

807

+	systemd_list_journal_dirs(podman_conmon_user_t)

808

+	systemd_read_journal_files(podman_conmon_user_t)

809

+')

Gentoo Archives: gentoo-commits