From a9fdee204947df071be67a4b1016314b76da23c6 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 28 Mar 2023 10:18:28 -0500 Subject: [PATCH] More SELinux policy patches for Podman --- ...Allow-containers-to-use-fd-from-init.patch | 27 +++++++++++++ ...podman-to-use-fd-inherited-from-init.patch | 24 ++++++++++++ ...podman-to-validate-security-contexts.patch | 28 ++++++++++++++ ...an-Allow-conmon-to-signal-containers.patch | 38 +++++++++++++++++++ .../patches/sec-policy/selinux-container | 1 + 5 files changed, 118 insertions(+) create mode 100644 yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-container-Allow-containers-to-use-fd-from-init.patch create mode 100644 yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch create mode 100644 yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch create mode 100644 yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch create mode 120000 yellow/portage/target/etc/portage/patches/sec-policy/selinux-container diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-container-Allow-containers-to-use-fd-from-init.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-container-Allow-containers-to-use-fd-from-init.patch new file mode 100644 index 0000000..4adb0a3 --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-container-Allow-containers-to-use-fd-from-init.patch @@ -0,0 +1,27 @@ +From a13c332aed1cf9b54a3644c6d5cf1f9cd187b211 Mon Sep 17 00:00:00 2001 +From: "Dustin C. Hatch" +Date: Sun, 26 Mar 2023 14:56:02 -0500 +Subject: [PATCH] container: Allow containers to use fd from init + +Containers run as systemd units need to be able to use the file +descriptors inherited from systemd for standard input/output/error. +--- + refpolicy/policy/modules/services/container.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te +index 534d6f4..d519177 100644 +--- a/refpolicy/policy/modules/services/container.te ++++ b/refpolicy/policy/modules/services/container.te +@@ -301,6 +301,8 @@ clock_read_adjtime(container_domain) + + init_read_utmp(container_domain) + init_dontaudit_write_utmp(container_domain) ++init_use_fds(container_domain) ++init_rw_stream_sockets(container_domain) + + libs_dontaudit_setattr_lib_files(container_domain) + +-- +2.39.0 + diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch new file mode 100644 index 0000000..006a872 --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch @@ -0,0 +1,24 @@ +From a2cf7311a5d50c6585c63b6602e7841b23aacfdd Mon Sep 17 00:00:00 2001 +From: "Dustin C. Hatch" +Date: Sun, 26 Mar 2023 14:56:02 -0500 +Subject: [PATCH] podman: Allow podman to use fd inherited from init + +--- + refpolicy/policy/modules/services/podman.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te +index d06e9f9..9ead6ba 100644 +--- a/refpolicy/policy/modules/services/podman.te ++++ b/refpolicy/policy/modules/services/podman.te +@@ -72,6 +72,7 @@ ifdef(`init_systemd',` + init_stop_transient_units(podman_t) + + init_rw_stream_sockets(podman_t) ++ init_use_fds(podman_t) + + # podman can read logs from containers which are + # sent to the system journal +-- +2.39.0 + diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch new file mode 100644 index 0000000..681146c --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch @@ -0,0 +1,28 @@ +From 370eab5c843f4081aacfe67a1bd6c17bb1973902 Mon Sep 17 00:00:00 2001 +From: "Dustin C. Hatch" +Date: Sun, 26 Mar 2023 14:59:28 -0500 +Subject: [PATCH] Allow podman to validate security contexts + +Addresses this AVC denial: + + avc: denied { write } for pid=244 comm="podman" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0 +--- + refpolicy/policy/modules/services/podman.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te +index d06e9f9..41e0ec6 100644 +--- a/refpolicy/policy/modules/services/podman.te ++++ b/refpolicy/policy/modules/services/podman.te +@@ -60,6 +60,8 @@ container_manage_sock_files(podman_t) + + podman_spec_rangetrans_conmon(podman_t, s0) + ++selinux_validate_context(podman_t) ++ + ifdef(`init_systemd',` + init_dbus_chat(podman_t) + init_setsched(podman_t) +-- +2.39.0 + diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch new file mode 100644 index 0000000..16d76dd --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch @@ -0,0 +1,38 @@ +From 51414cb3a2dd02b79ce05842d49d5ff1ff67ef56 Mon Sep 17 00:00:00 2001 +From: "Dustin C. Hatch" +Date: Sun, 26 Mar 2023 15:03:40 -0500 +Subject: [PATCH] podman: Allow conmon to signal containers + +Addresses these AVC denials: + + avc: denied { kill } for pid=274 comm="conmon" capability=5 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:podman_conmon_t:s0 tclass=capability permissive=0 + avc: denied { signal } for pid=278 comm="conmon" scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:container_t:s0:c273,c333 tclass=process permissive=0 +--- + refpolicy/policy/modules/services/podman.te | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te +index 41e0ec6..222ae2b 100644 +--- a/refpolicy/policy/modules/services/podman.te ++++ b/refpolicy/policy/modules/services/podman.te +@@ -191,7 +191,7 @@ ifdef(`init_systemd',` + # podman conmon local policy + # + +-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource }; ++allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource }; + dontaudit podman_conmon_t self:capability net_admin; + + podman_domtrans(podman_conmon_t) +@@ -214,6 +214,8 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file }) + container_manage_engine_tmp_files(podman_conmon_t) + container_manage_engine_tmp_sock_files(podman_conmon_t) + ++container_signal_all_containers(podman_conmon_t) ++ + ifdef(`init_systemd',` + init_get_transient_units_status(podman_conmon_t) + init_start_transient_units(podman_conmon_t) +-- +2.39.0 + diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-container b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-container new file mode 120000 index 0000000..999e000 --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-container @@ -0,0 +1 @@ +selinux-base \ No newline at end of file