More SELinux policy patches for Podman

2023-03-28 10:18:28 -05:00 · 2023-03-28 10:18:28 -05:00 · a9fdee2049
parent 5fef6f1665
commit a9fdee2049
5 changed files with 118 additions and 0 deletions
--- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-container-Allow-containers-to-use-fd-from-init.patch
+++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-container-Allow-containers-to-use-fd-from-init.patch
@ -0,0 +1,27 @@
+From a13c332aed1cf9b54a3644c6d5cf1f9cd187b211 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sun, 26 Mar 2023 14:56:02 -0500
+Subject: [PATCH] container: Allow containers to use fd from init
+
+Containers run as systemd units need to be able to use the file
+descriptors inherited from systemd for standard input/output/error.
+---
+ refpolicy/policy/modules/services/container.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te
+index 534d6f4..d519177 100644
+--- a/refpolicy/policy/modules/services/container.te
+++ b/refpolicy/policy/modules/services/container.te
+@@ -301,6 +301,8 @@ clock_read_adjtime(container_domain)
+ 
+ init_read_utmp(container_domain)
+ init_dontaudit_write_utmp(container_domain)
+init_use_fds(container_domain)
+init_rw_stream_sockets(container_domain)
+ 
+ libs_dontaudit_setattr_lib_files(container_domain)
+ 
+-- 
+2.39.0
+
--- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch
+++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0009-podman-Allow-podman-to-use-fd-inherited-from-init.patch
@ -0,0 +1,24 @@
+From a2cf7311a5d50c6585c63b6602e7841b23aacfdd Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sun, 26 Mar 2023 14:56:02 -0500
+Subject: [PATCH] podman: Allow podman to use fd inherited from init
+
+---
+ refpolicy/policy/modules/services/podman.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
+index d06e9f9..9ead6ba 100644
+--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
+@@ -72,6 +72,7 @@ ifdef(`init_systemd',`
+ 	init_stop_transient_units(podman_t)
+ 
+ 	init_rw_stream_sockets(podman_t)
+	init_use_fds(podman_t)
+ 
+ 	# podman can read logs from containers which are
+ 	# sent to the system journal
+-- 
+2.39.0
+
--- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch
+++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0010-Allow-podman-to-validate-security-contexts.patch
@ -0,0 +1,28 @@
+From 370eab5c843f4081aacfe67a1bd6c17bb1973902 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sun, 26 Mar 2023 14:59:28 -0500
+Subject: [PATCH] Allow podman to validate security contexts
+
+Addresses this AVC denial:
+
+    avc:  denied  { write } for  pid=244 comm="podman" name="context" dev="selinuxfs" ino=5 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0
+---
+ refpolicy/policy/modules/services/podman.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
+index d06e9f9..41e0ec6 100644
+--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
+@@ -60,6 +60,8 @@ container_manage_sock_files(podman_t)
+ 
+ podman_spec_rangetrans_conmon(podman_t, s0)
+ 
+selinux_validate_context(podman_t)
+
+ ifdef(`init_systemd',`
+ 	init_dbus_chat(podman_t)
+ 	init_setsched(podman_t)
+-- 
+2.39.0
+
--- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch
+++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0011-podman-Allow-conmon-to-signal-containers.patch
@ -0,0 +1,38 @@
+From 51414cb3a2dd02b79ce05842d49d5ff1ff67ef56 Mon Sep 17 00:00:00 2001
+From: "Dustin C. Hatch" <dustin@hatch.name>
+Date: Sun, 26 Mar 2023 15:03:40 -0500
+Subject: [PATCH] podman: Allow conmon to signal containers
+
+Addresses these AVC denials:
+
+    avc:  denied  { kill } for  pid=274 comm="conmon" capability=5  scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:podman_conmon_t:s0 tclass=capability permissive=0
+    avc:  denied  { signal } for  pid=278 comm="conmon" scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:system_r:container_t:s0:c273,c333 tclass=process permissive=0
+---
+ refpolicy/policy/modules/services/podman.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
+index 41e0ec6..222ae2b 100644
+--- a/refpolicy/policy/modules/services/podman.te
+++ b/refpolicy/policy/modules/services/podman.te
+@@ -191,7 +191,7 @@ ifdef(`init_systemd',`
+ # podman conmon local policy
+ #
+ 
+-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource };
+ dontaudit podman_conmon_t self:capability net_admin;
+ 
+ podman_domtrans(podman_conmon_t)
+@@ -214,6 +214,8 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
+ container_manage_engine_tmp_files(podman_conmon_t)
+ container_manage_engine_tmp_sock_files(podman_conmon_t)
+ 
+container_signal_all_containers(podman_conmon_t)
+
+ ifdef(`init_systemd',`
+ 	init_get_transient_units_status(podman_conmon_t)
+ 	init_start_transient_units(podman_conmon_t)
+-- 
+2.39.0
+
--- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-container
+++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-container
@ -0,0 +1 @@
+selinux-base