1 |
commit: 12977dbcd922fd1bc6175ed523033d08133e7718 |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Fri Dec 31 19:47:00 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jan 30 01:12:42 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=12977dbc |
7 |
|
8 |
container, podman: add policy for conmon |
9 |
|
10 |
Make conmon run in a separate domain and allow podman types to |
11 |
transition to it. |
12 |
|
13 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
14 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
15 |
|
16 |
policy/modules/services/container.if | 406 +++++++++++++++++++++++++++++++++++ |
17 |
policy/modules/services/podman.fc | 1 + |
18 |
policy/modules/services/podman.if | 98 +++++++++ |
19 |
policy/modules/services/podman.te | 162 +++++++++++++- |
20 |
4 files changed, 665 insertions(+), 2 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if |
23 |
index 92b5a2f7..1c1950c7 100644 |
24 |
--- a/policy/modules/services/container.if |
25 |
+++ b/policy/modules/services/container.if |
26 |
@@ -356,6 +356,52 @@ interface(`container_engine_executable_file',` |
27 |
application_executable_file($1) |
28 |
') |
29 |
|
30 |
+######################################## |
31 |
+## <summary> |
32 |
+## Execute a generic container engine |
33 |
+## executable with an automatic transition |
34 |
+## to a private type. |
35 |
+## </summary> |
36 |
+## <param name="domain"> |
37 |
+## <summary> |
38 |
+## Domain allowed to transition. |
39 |
+## </summary> |
40 |
+## </param> |
41 |
+## <param name="target_domain"> |
42 |
+## <summary> |
43 |
+## The type of the new process. |
44 |
+## </summary> |
45 |
+## </param> |
46 |
+# |
47 |
+interface(`container_generic_engine_domtrans',` |
48 |
+ gen_require(` |
49 |
+ type container_engine_exec_t; |
50 |
+ ') |
51 |
+ |
52 |
+ corecmd_search_bin($1) |
53 |
+ domtrans_pattern($1, container_engine_exec_t, $2) |
54 |
+') |
55 |
+ |
56 |
+######################################## |
57 |
+## <summary> |
58 |
+## Allow the generic container engine |
59 |
+## executables to be an entrypoint |
60 |
+## for the specified domain. |
61 |
+## </summary> |
62 |
+## <param name="domain"> |
63 |
+## <summary> |
64 |
+## Domain allowed access. |
65 |
+## </summary> |
66 |
+## </param> |
67 |
+# |
68 |
+interface(`container_engine_executable_entrypoint',` |
69 |
+ gen_require(` |
70 |
+ type container_engine_exec_t; |
71 |
+ ') |
72 |
+ |
73 |
+ allow $1 container_engine_exec_t:file entrypoint; |
74 |
+') |
75 |
+ |
76 |
######################################## |
77 |
## <summary> |
78 |
## Send and receive messages from |
79 |
@@ -377,6 +423,115 @@ interface(`container_engine_dbus_chat',` |
80 |
allow container_engine_domain $1:dbus send_msg; |
81 |
') |
82 |
|
83 |
+######################################## |
84 |
+## <summary> |
85 |
+## Allow the specified domain to manage |
86 |
+## container engine temporary files. |
87 |
+## </summary> |
88 |
+## <param name="domain"> |
89 |
+## <summary> |
90 |
+## Domain allowed access. |
91 |
+## </summary> |
92 |
+## </param> |
93 |
+# |
94 |
+interface(`container_manage_engine_tmp_files',` |
95 |
+ gen_require(` |
96 |
+ type container_engine_tmp_t; |
97 |
+ ') |
98 |
+ |
99 |
+ files_search_tmp($1) |
100 |
+ allow $1 container_engine_tmp_t:file manage_file_perms; |
101 |
+') |
102 |
+ |
103 |
+######################################## |
104 |
+## <summary> |
105 |
+## Allow the specified domain to manage |
106 |
+## container engine temporary named sockets. |
107 |
+## </summary> |
108 |
+## <param name="domain"> |
109 |
+## <summary> |
110 |
+## Domain allowed access. |
111 |
+## </summary> |
112 |
+## </param> |
113 |
+# |
114 |
+interface(`container_manage_engine_tmp_sock_files',` |
115 |
+ gen_require(` |
116 |
+ type container_engine_tmp_t; |
117 |
+ ') |
118 |
+ |
119 |
+ files_search_tmp($1) |
120 |
+ allow $1 container_engine_tmp_t:sock_file manage_sock_file_perms; |
121 |
+') |
122 |
+ |
123 |
+######################################## |
124 |
+## <summary> |
125 |
+## Allow the specified domain to create |
126 |
+## objects in generic temporary directories |
127 |
+## with an automatic type transition to |
128 |
+## the container engine temporary file type. |
129 |
+## </summary> |
130 |
+## <param name="domain"> |
131 |
+## <summary> |
132 |
+## Domain allowed access. |
133 |
+## </summary> |
134 |
+## </param> |
135 |
+## <param name="object"> |
136 |
+## <summary> |
137 |
+## The object class of the object being created. |
138 |
+## </summary> |
139 |
+## </param> |
140 |
+## <param name="name" optional="true"> |
141 |
+## <summary> |
142 |
+## The name of the object being created. |
143 |
+## </summary> |
144 |
+## </param> |
145 |
+# |
146 |
+interface(`container_engine_tmp_filetrans',` |
147 |
+ gen_require(` |
148 |
+ type container_engine_tmp_t; |
149 |
+ ') |
150 |
+ |
151 |
+ files_tmp_filetrans($1, container_engine_tmp_t, $2, $3) |
152 |
+') |
153 |
+ |
154 |
+######################################## |
155 |
+## <summary> |
156 |
+## Read the process state (/proc/pid) |
157 |
+## of all system containers. |
158 |
+## </summary> |
159 |
+## <param name="domain"> |
160 |
+## <summary> |
161 |
+## Domain allowed access. |
162 |
+## </summary> |
163 |
+## </param> |
164 |
+# |
165 |
+interface(`container_read_system_container_state',` |
166 |
+ gen_require(` |
167 |
+ attribute container_system_domain; |
168 |
+ ') |
169 |
+ |
170 |
+ ps_process_pattern($1, container_system_domain) |
171 |
+') |
172 |
+ |
173 |
+######################################## |
174 |
+## <summary> |
175 |
+## Read the process state (/proc/pid) |
176 |
+## of all user containers. |
177 |
+## </summary> |
178 |
+## <param name="domain"> |
179 |
+## <summary> |
180 |
+## Domain allowed access. |
181 |
+## </summary> |
182 |
+## </param> |
183 |
+# |
184 |
+interface(`container_read_user_container_state',` |
185 |
+ gen_require(` |
186 |
+ attribute container_user_domain; |
187 |
+ ') |
188 |
+ |
189 |
+ ps_process_pattern($1, container_user_domain) |
190 |
+') |
191 |
+ |
192 |
######################################## |
193 |
## <summary> |
194 |
## All of the permissions necessary |
195 |
@@ -611,6 +766,25 @@ interface(`container_manage_sock_files',` |
196 |
manage_sock_files_pattern($1, container_file_t, container_file_t) |
197 |
') |
198 |
|
199 |
+######################################## |
200 |
+## <summary> |
201 |
+## Allow the specified domain to read |
202 |
+## and write container chr files. |
203 |
+## </summary> |
204 |
+## <param name="domain"> |
205 |
+## <summary> |
206 |
+## Domain allowed access. |
207 |
+## </summary> |
208 |
+## </param> |
209 |
+# |
210 |
+interface(`container_rw_chr_files',` |
211 |
+ gen_require(` |
212 |
+ type container_file_t; |
213 |
+ ') |
214 |
+ |
215 |
+ allow $1 container_file_t:chr_file rw_chr_file_perms; |
216 |
+') |
217 |
+ |
218 |
######################################## |
219 |
## <summary> |
220 |
## Do not audit attempts to read |
221 |
@@ -701,6 +875,65 @@ interface(`container_config_home_filetrans',` |
222 |
xdg_config_filetrans($1, container_conf_home_t, $2, $3) |
223 |
') |
224 |
|
225 |
+######################################## |
226 |
+## <summary> |
227 |
+## Allow the specified domain to |
228 |
+## manage container data home files. |
229 |
+## </summary> |
230 |
+## <param name="domain"> |
231 |
+## <summary> |
232 |
+## Domain allowed access. |
233 |
+## </summary> |
234 |
+## </param> |
235 |
+# |
236 |
+interface(`container_manage_home_data_files',` |
237 |
+ gen_require(` |
238 |
+ type container_data_home_t; |
239 |
+ ') |
240 |
+ |
241 |
+ manage_files_pattern($1, container_data_home_t, container_data_home_t) |
242 |
+') |
243 |
+ |
244 |
+######################################## |
245 |
+## <summary> |
246 |
+## Allow the specified domain to |
247 |
+## manage container data home named |
248 |
+## pipes. |
249 |
+## </summary> |
250 |
+## <param name="domain"> |
251 |
+## <summary> |
252 |
+## Domain allowed access. |
253 |
+## </summary> |
254 |
+## </param> |
255 |
+# |
256 |
+interface(`container_manage_home_data_fifo_files',` |
257 |
+ gen_require(` |
258 |
+ type container_data_home_t; |
259 |
+ ') |
260 |
+ |
261 |
+ manage_fifo_files_pattern($1, container_data_home_t, container_data_home_t) |
262 |
+') |
263 |
+ |
264 |
+######################################## |
265 |
+## <summary> |
266 |
+## Allow the specified domain to |
267 |
+## manage container data home named |
268 |
+## sockets. |
269 |
+## </summary> |
270 |
+## <param name="domain"> |
271 |
+## <summary> |
272 |
+## Domain allowed access. |
273 |
+## </summary> |
274 |
+## </param> |
275 |
+# |
276 |
+interface(`container_manage_home_data_sock_files',` |
277 |
+ gen_require(` |
278 |
+ type container_data_home_t; |
279 |
+ ') |
280 |
+ |
281 |
+ manage_sock_files_pattern($1, container_data_home_t, container_data_home_t) |
282 |
+') |
283 |
+ |
284 |
######################################## |
285 |
## <summary> |
286 |
## Allow the specified domain to |
287 |
@@ -760,6 +993,179 @@ interface(`container_getattr_fs',` |
288 |
allow $1 container_file_t:filesystem getattr; |
289 |
') |
290 |
|
291 |
+######################################## |
292 |
+## <summary> |
293 |
+## Allow the specified domain to search |
294 |
+## runtime container directories. |
295 |
+## </summary> |
296 |
+## <param name="domain"> |
297 |
+## <summary> |
298 |
+## Domain allowed access. |
299 |
+## </summary> |
300 |
+## </param> |
301 |
+# |
302 |
+interface(`container_search_runtime',` |
303 |
+ gen_require(` |
304 |
+ type container_runtime_t; |
305 |
+ ') |
306 |
+ |
307 |
+ files_search_runtime($1) |
308 |
+ allow $1 container_runtime_t:dir search_dir_perms; |
309 |
+') |
310 |
+ |
311 |
+######################################## |
312 |
+## <summary> |
313 |
+## Allow the specified domain to manage |
314 |
+## runtime container files. |
315 |
+## </summary> |
316 |
+## <param name="domain"> |
317 |
+## <summary> |
318 |
+## Domain allowed access. |
319 |
+## </summary> |
320 |
+## </param> |
321 |
+# |
322 |
+interface(`container_manage_runtime_files',` |
323 |
+ gen_require(` |
324 |
+ type container_runtime_t; |
325 |
+ ') |
326 |
+ |
327 |
+ manage_files_pattern($1, container_runtime_t, container_runtime_t) |
328 |
+') |
329 |
+ |
330 |
+######################################## |
331 |
+## <summary> |
332 |
+## Allow the specified domain to manage |
333 |
+## runtime container named pipes. |
334 |
+## </summary> |
335 |
+## <param name="domain"> |
336 |
+## <summary> |
337 |
+## Domain allowed access. |
338 |
+## </summary> |
339 |
+## </param> |
340 |
+# |
341 |
+interface(`container_manage_runtime_fifo_files',` |
342 |
+ gen_require(` |
343 |
+ type container_runtime_t; |
344 |
+ ') |
345 |
+ |
346 |
+ manage_fifo_files_pattern($1, container_runtime_t, container_runtime_t) |
347 |
+') |
348 |
+ |
349 |
+######################################## |
350 |
+## <summary> |
351 |
+## Allow the specified domain to manage |
352 |
+## runtime container named sockets. |
353 |
+## </summary> |
354 |
+## <param name="domain"> |
355 |
+## <summary> |
356 |
+## Domain allowed access. |
357 |
+## </summary> |
358 |
+## </param> |
359 |
+# |
360 |
+interface(`container_manage_runtime_sock_files',` |
361 |
+ gen_require(` |
362 |
+ type container_runtime_t; |
363 |
+ ') |
364 |
+ |
365 |
+ manage_sock_files_pattern($1, container_runtime_t, container_runtime_t) |
366 |
+') |
367 |
+ |
368 |
+######################################## |
369 |
+## <summary> |
370 |
+## Allow the specified domain to manage |
371 |
+## user runtime container files. |
372 |
+## </summary> |
373 |
+## <param name="domain"> |
374 |
+## <summary> |
375 |
+## Domain allowed access. |
376 |
+## </summary> |
377 |
+## </param> |
378 |
+# |
379 |
+interface(`container_manage_user_runtime_files',` |
380 |
+ gen_require(` |
381 |
+ type container_user_runtime_t; |
382 |
+ ') |
383 |
+ |
384 |
+ manage_files_pattern($1, container_user_runtime_t, container_user_runtime_t) |
385 |
+') |
386 |
+ |
387 |
+######################################## |
388 |
+## <summary> |
389 |
+## Allow the specified domain to search |
390 |
+## container directories in /var/lib. |
391 |
+## </summary> |
392 |
+## <param name="domain"> |
393 |
+## <summary> |
394 |
+## Domain allowed access. |
395 |
+## </summary> |
396 |
+## </param> |
397 |
+# |
398 |
+interface(`container_search_var_lib',` |
399 |
+ gen_require(` |
400 |
+ type container_var_lib_t; |
401 |
+ ') |
402 |
+ |
403 |
+ files_search_var_lib($1) |
404 |
+ allow $1 container_var_lib_t:dir search_dir_perms; |
405 |
+') |
406 |
+ |
407 |
+######################################## |
408 |
+## <summary> |
409 |
+## Allow the specified domain to manage |
410 |
+## container files in /var/lib. |
411 |
+## </summary> |
412 |
+## <param name="domain"> |
413 |
+## <summary> |
414 |
+## Domain allowed access. |
415 |
+## </summary> |
416 |
+## </param> |
417 |
+# |
418 |
+interface(`container_manage_var_lib_files',` |
419 |
+ gen_require(` |
420 |
+ type container_var_lib_t; |
421 |
+ ') |
422 |
+ |
423 |
+ manage_files_pattern($1, container_var_lib_t, container_var_lib_t) |
424 |
+') |
425 |
+ |
426 |
+######################################## |
427 |
+## <summary> |
428 |
+## Allow the specified domain to manage |
429 |
+## container named pipes in /var/lib. |
430 |
+## </summary> |
431 |
+## <param name="domain"> |
432 |
+## <summary> |
433 |
+## Domain allowed access. |
434 |
+## </summary> |
435 |
+## </param> |
436 |
+# |
437 |
+interface(`container_manage_var_lib_fifo_files',` |
438 |
+ gen_require(` |
439 |
+ type container_var_lib_t; |
440 |
+ ') |
441 |
+ |
442 |
+ manage_fifo_files_pattern($1, container_var_lib_t, container_var_lib_t) |
443 |
+') |
444 |
+ |
445 |
+######################################## |
446 |
+## <summary> |
447 |
+## Allow the specified domain to manage |
448 |
+## container named sockets in /var/lib. |
449 |
+## </summary> |
450 |
+## <param name="domain"> |
451 |
+## <summary> |
452 |
+## Domain allowed access. |
453 |
+## </summary> |
454 |
+## </param> |
455 |
+# |
456 |
+interface(`container_manage_var_lib_sock_files',` |
457 |
+ gen_require(` |
458 |
+ type container_var_lib_t; |
459 |
+ ') |
460 |
+ |
461 |
+ manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t) |
462 |
+') |
463 |
+ |
464 |
######################################## |
465 |
## <summary> |
466 |
## All of the rules required to |
467 |
|
468 |
diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc |
469 |
index fbf11fed..ece2d0dc 100644 |
470 |
--- a/policy/modules/services/podman.fc |
471 |
+++ b/policy/modules/services/podman.fc |
472 |
@@ -1 +1,2 @@ |
473 |
/usr/bin/podman -- gen_context(system_u:object_r:podman_exec_t,s0) |
474 |
+/usr/bin/conmon -- gen_context(system_u:object_r:podman_conmon_exec_t,s0) |
475 |
|
476 |
diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if |
477 |
index a57ca9dc..3d03884e 100644 |
478 |
--- a/policy/modules/services/podman.if |
479 |
+++ b/policy/modules/services/podman.if |
480 |
@@ -94,6 +94,100 @@ interface(`podman_run_user',` |
481 |
podman_domtrans_user($1) |
482 |
') |
483 |
|
484 |
+######################################## |
485 |
+## <summary> |
486 |
+## Execute conmon in the conmon domain. |
487 |
+## </summary> |
488 |
+## <param name="domain"> |
489 |
+## <summary> |
490 |
+## Domain allowed to transition. |
491 |
+## </summary> |
492 |
+## </param> |
493 |
+# |
494 |
+interface(`podman_domtrans_conmon',` |
495 |
+ gen_require(` |
496 |
+ type podman_conmon_t, podman_conmon_exec_t; |
497 |
+ ') |
498 |
+ |
499 |
+ corecmd_search_bin($1) |
500 |
+ domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t) |
501 |
+') |
502 |
+ |
503 |
+######################################## |
504 |
+## <summary> |
505 |
+## Execute conmon in the conmon domain, |
506 |
+## and allow the specified role the |
507 |
+## conmon domain. |
508 |
+## </summary> |
509 |
+## <param name="domain"> |
510 |
+## <summary> |
511 |
+## Domain allowed to transition. |
512 |
+## </summary> |
513 |
+## </param> |
514 |
+## <param name="role"> |
515 |
+## <summary> |
516 |
+## The role to be allowed the conmon domain. |
517 |
+## </summary> |
518 |
+## </param> |
519 |
+# |
520 |
+interface(`podman_run_conmon',` |
521 |
+ gen_require(` |
522 |
+ type podman_conmon_t; |
523 |
+ ') |
524 |
+ |
525 |
+ role $2 types podman_conmon_t; |
526 |
+ |
527 |
+ podman_domtrans_conmon($1) |
528 |
+') |
529 |
+ |
530 |
+######################################## |
531 |
+## <summary> |
532 |
+## Execute conmon in the conmon user |
533 |
+## domain (rootless podman). |
534 |
+## </summary> |
535 |
+## <param name="domain"> |
536 |
+## <summary> |
537 |
+## Domain allowed to transition. |
538 |
+## </summary> |
539 |
+## </param> |
540 |
+# |
541 |
+interface(`podman_domtrans_conmon_user',` |
542 |
+ gen_require(` |
543 |
+ type podman_conmon_user_t, podman_conmon_exec_t; |
544 |
+ ') |
545 |
+ |
546 |
+ corecmd_search_bin($1) |
547 |
+ domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t) |
548 |
+') |
549 |
+ |
550 |
+######################################## |
551 |
+## <summary> |
552 |
+## Execute conmon in the conmon user |
553 |
+## domain, and allow the specified role |
554 |
+## the conmon user domain (rootless |
555 |
+## podman). |
556 |
+## </summary> |
557 |
+## <param name="domain"> |
558 |
+## <summary> |
559 |
+## Domain allowed to transition. |
560 |
+## </summary> |
561 |
+## </param> |
562 |
+## <param name="role"> |
563 |
+## <summary> |
564 |
+## The role to be allowed the conmon domain. |
565 |
+## </summary> |
566 |
+## </param> |
567 |
+# |
568 |
+interface(`podman_run_conmon_user',` |
569 |
+ gen_require(` |
570 |
+ type podman_conmon_user_t; |
571 |
+ ') |
572 |
+ |
573 |
+ role $2 types podman_conmon_user_t; |
574 |
+ |
575 |
+ podman_domtrans_conmon_user($1) |
576 |
+') |
577 |
+ |
578 |
######################################## |
579 |
## <summary> |
580 |
## Role access for rootless podman. |
581 |
@@ -124,9 +218,11 @@ interface(`podman_run_user',` |
582 |
template(`podman_user_role',` |
583 |
gen_require(` |
584 |
type podman_user_t; |
585 |
+ type podman_conmon_user_t; |
586 |
') |
587 |
|
588 |
podman_run_user($3, $4) |
589 |
+ podman_run_conmon_user($3, $4) |
590 |
|
591 |
optional_policy(` |
592 |
dbus_spec_session_bus_client($1, podman_user_t) |
593 |
@@ -134,6 +230,7 @@ template(`podman_user_role',` |
594 |
|
595 |
optional_policy(` |
596 |
systemd_user_app_status($1, podman_user_t) |
597 |
+ systemd_user_app_status($1, podman_conmon_user_t) |
598 |
') |
599 |
') |
600 |
|
601 |
@@ -157,4 +254,5 @@ template(`podman_user_role',` |
602 |
# |
603 |
interface(`podman_admin',` |
604 |
podman_run($1, $2) |
605 |
+ podman_run_conmon($1, $2) |
606 |
') |
607 |
|
608 |
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te |
609 |
index 2bdd2f27..6efd2cd1 100644 |
610 |
--- a/policy/modules/services/podman.te |
611 |
+++ b/policy/modules/services/podman.te |
612 |
@@ -17,14 +17,30 @@ ifdef(`enable_mls',` |
613 |
mls_trusted_object(podman_t) |
614 |
|
615 |
container_engine_domain_template(podman_user) |
616 |
+container_user_engine(podman_user_t) |
617 |
application_domain(podman_user_t, podman_exec_t) |
618 |
mls_trusted_object(podman_user_t) |
619 |
|
620 |
+type podman_conmon_t; |
621 |
+type podman_conmon_exec_t; |
622 |
+application_domain(podman_conmon_t, podman_conmon_exec_t) |
623 |
+ |
624 |
+type podman_conmon_user_t; |
625 |
+application_domain(podman_conmon_user_t, podman_conmon_exec_t) |
626 |
+ |
627 |
######################################## |
628 |
# |
629 |
# Podman local policy |
630 |
# |
631 |
|
632 |
+allow podman_t podman_conmon_t:process { setsched signull }; |
633 |
+allow podman_t podman_conmon_t:fifo_file setattr; |
634 |
+allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
635 |
+ |
636 |
+container_engine_executable_entrypoint(podman_t) |
637 |
+ |
638 |
+domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t) |
639 |
+ |
640 |
logging_send_syslog_msg(podman_t) |
641 |
|
642 |
userdom_list_user_home_content(podman_t) |
643 |
@@ -38,11 +54,11 @@ userdom_relabel_generic_user_home_files(podman_t) |
644 |
container_config_home_filetrans(podman_t, dir) |
645 |
container_manage_home_config(podman_t) |
646 |
|
647 |
+container_manage_sock_files(podman_t) |
648 |
+ |
649 |
ifdef(`init_systemd',` |
650 |
init_dbus_chat(podman_t) |
651 |
init_setsched(podman_t) |
652 |
- init_get_generic_units_status(podman_t) |
653 |
- init_start_generic_units(podman_t) |
654 |
init_start_system(podman_t) |
655 |
init_stop_system(podman_t) |
656 |
|
657 |
@@ -58,6 +74,14 @@ ifdef(`init_systemd',` |
658 |
# Rootless Podman local policy |
659 |
# |
660 |
|
661 |
+allow podman_user_t podman_conmon_user_t:process signull; |
662 |
+allow podman_user_t podman_conmon_user_t:fifo_file setattr; |
663 |
+allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
664 |
+ |
665 |
+container_engine_executable_entrypoint(podman_user_t) |
666 |
+ |
667 |
+domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t) |
668 |
+ |
669 |
# required by slirp4netns |
670 |
files_mounton_etc_dirs(podman_user_t) |
671 |
# required by slirp4netns |
672 |
@@ -110,3 +134,137 @@ ifdef(`init_systemd',` |
673 |
systemd_list_journal_dirs(podman_user_t) |
674 |
systemd_read_journal_files(podman_user_t) |
675 |
') |
676 |
+ |
677 |
+######################################## |
678 |
+# |
679 |
+# conmon local policy |
680 |
+# |
681 |
+ |
682 |
+allow podman_conmon_t self:process signal; |
683 |
+allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource }; |
684 |
+allow podman_conmon_t self:cap_userns sys_ptrace; |
685 |
+allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr }; |
686 |
+allow podman_conmon_t self:unix_dgram_socket create_socket_perms; |
687 |
+dontaudit podman_conmon_t self:capability net_admin; |
688 |
+ |
689 |
+# conmon will execute crun/runc to create the container |
690 |
+container_generic_engine_domtrans(podman_conmon_t, podman_t) |
691 |
+podman_domtrans(podman_conmon_t) |
692 |
+ |
693 |
+allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms; |
694 |
+allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms; |
695 |
+allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms; |
696 |
+ps_process_pattern(podman_conmon_t, podman_t) |
697 |
+ |
698 |
+domain_use_interactive_fds(podman_conmon_t) |
699 |
+ |
700 |
+fs_getattr_cgroup(podman_conmon_t) |
701 |
+fs_search_cgroup_dirs(podman_conmon_t) |
702 |
+fs_read_cgroup_files(podman_conmon_t) |
703 |
+fs_watch_cgroup_files(podman_conmon_t) |
704 |
+ |
705 |
+fs_getattr_tmpfs(podman_conmon_t) |
706 |
+fs_getattr_xattr_fs(podman_conmon_t) |
707 |
+ |
708 |
+logging_send_syslog_msg(podman_conmon_t) |
709 |
+ |
710 |
+miscfiles_read_localization(podman_conmon_t) |
711 |
+ |
712 |
+userdom_use_user_ptys(podman_conmon_t) |
713 |
+ |
714 |
+container_read_system_container_state(podman_conmon_t) |
715 |
+ |
716 |
+# to send/receive data from container ttys |
717 |
+container_rw_chr_files(podman_conmon_t) |
718 |
+ |
719 |
+container_manage_runtime_files(podman_conmon_t) |
720 |
+container_manage_runtime_fifo_files(podman_conmon_t) |
721 |
+container_manage_runtime_sock_files(podman_conmon_t) |
722 |
+ |
723 |
+container_search_var_lib(podman_conmon_t) |
724 |
+container_manage_var_lib_files(podman_conmon_t) |
725 |
+container_manage_var_lib_fifo_files(podman_conmon_t) |
726 |
+container_manage_var_lib_sock_files(podman_conmon_t) |
727 |
+ |
728 |
+container_engine_tmp_filetrans(podman_conmon_t, { file sock_file }) |
729 |
+container_manage_engine_tmp_files(podman_conmon_t) |
730 |
+container_manage_engine_tmp_sock_files(podman_conmon_t) |
731 |
+ |
732 |
+ifdef(`init_systemd',` |
733 |
+ init_get_generic_units_status(podman_conmon_t) |
734 |
+ init_start_generic_units(podman_conmon_t) |
735 |
+ init_start_system(podman_conmon_t) |
736 |
+ init_stop_system(podman_conmon_t) |
737 |
+ |
738 |
+ # conmon can read logs from containers which are |
739 |
+ # sent to the system journal |
740 |
+ logging_search_logs(podman_conmon_t) |
741 |
+ systemd_list_journal_dirs(podman_conmon_t) |
742 |
+ systemd_read_journal_files(podman_conmon_t) |
743 |
+') |
744 |
+ |
745 |
+optional_policy(` |
746 |
+ iptables_domtrans(podman_conmon_t) |
747 |
+') |
748 |
+ |
749 |
+######################################## |
750 |
+# |
751 |
+# Rootless conmon local policy |
752 |
+# |
753 |
+ |
754 |
+allow podman_conmon_user_t self:process signal; |
755 |
+allow podman_conmon_user_t self:cap_userns sys_ptrace; |
756 |
+allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr }; |
757 |
+allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms; |
758 |
+ |
759 |
+ps_process_pattern(podman_conmon_user_t, podman_user_t) |
760 |
+allow podman_conmon_user_t podman_user_t:process signal; |
761 |
+allow podman_conmon_user_t podman_user_t:unix_stream_socket rw_stream_socket_perms; |
762 |
+allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms; |
763 |
+ |
764 |
+# conmon will execute crun/runc to create the container |
765 |
+container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t) |
766 |
+podman_domtrans_user(podman_conmon_user_t) |
767 |
+ |
768 |
+domain_use_interactive_fds(podman_conmon_user_t) |
769 |
+ |
770 |
+fs_getattr_cgroup(podman_conmon_user_t) |
771 |
+fs_search_cgroup_dirs(podman_conmon_user_t) |
772 |
+fs_read_cgroup_files(podman_conmon_user_t) |
773 |
+fs_watch_cgroup_files(podman_conmon_user_t) |
774 |
+ |
775 |
+fs_getattr_tmpfs(podman_conmon_user_t) |
776 |
+fs_getattr_xattr_fs(podman_conmon_user_t) |
777 |
+ |
778 |
+logging_send_syslog_msg(podman_conmon_user_t) |
779 |
+ |
780 |
+miscfiles_read_localization(podman_conmon_user_t) |
781 |
+ |
782 |
+userdom_use_user_ptys(podman_conmon_user_t) |
783 |
+ |
784 |
+container_read_user_container_state(podman_conmon_user_t) |
785 |
+ |
786 |
+# to send/receive data from container ttys |
787 |
+container_rw_chr_files(podman_conmon_user_t) |
788 |
+ |
789 |
+userdom_search_user_home_dirs(podman_conmon_user_t) |
790 |
+xdg_search_data_dirs(podman_conmon_user_t) |
791 |
+container_manage_home_data_files(podman_conmon_user_t) |
792 |
+container_manage_home_data_fifo_files(podman_conmon_user_t) |
793 |
+container_manage_home_data_sock_files(podman_conmon_user_t) |
794 |
+ |
795 |
+userdom_search_user_runtime_root(podman_conmon_user_t) |
796 |
+userdom_search_user_runtime(podman_conmon_user_t) |
797 |
+container_manage_user_runtime_files(podman_conmon_user_t) |
798 |
+ |
799 |
+container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file }) |
800 |
+container_manage_engine_tmp_files(podman_conmon_user_t) |
801 |
+container_manage_engine_tmp_sock_files(podman_conmon_user_t) |
802 |
+ |
803 |
+ifdef(`init_systemd',` |
804 |
+ # conmon can read logs from containers which are |
805 |
+ # sent to the system journal |
806 |
+ logging_search_logs(podman_conmon_user_t) |
807 |
+ systemd_list_journal_dirs(podman_conmon_user_t) |
808 |
+ systemd_read_journal_files(podman_conmon_user_t) |
809 |
+') |