SELinux policy patches for Podman
* Allow crun to fchown stdio sockets inherited from init * Allow podman-system-generator to read /etc/containers/systemdgentoo
parent
2046a2d2dd
commit
aae933e105
|
|
@ -1,4 +1,4 @@
|
|||
From 45fbe472c6d0b8ecf320b4f04ebf6c09ec85ba33 Mon Sep 17 00:00:00 2001
|
||||
From 057c4204fc49abd0d908c71aed8d33ea71d55862 Mon Sep 17 00:00:00 2001
|
||||
From: "Dustin C. Hatch" <dustin@hatch.name>
|
||||
Date: Fri, 3 Mar 2023 15:04:28 -0600
|
||||
Subject: [PATCH] systemd: Fixes for systemd-resolved
|
||||
|
|
@ -8,10 +8,10 @@ Subject: [PATCH] systemd: Fixes for systemd-resolved
|
|||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
|
||||
index ef25974..78f2b07 100644
|
||||
index 7cd50f1..a296a7d 100644
|
||||
--- a/refpolicy/policy/modules/system/systemd.te
|
||||
+++ b/refpolicy/policy/modules/system/systemd.te
|
||||
@@ -228,6 +228,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
|
||||
@@ -236,6 +236,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
|
||||
|
||||
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
|
||||
files_runtime_file(systemd_resolved_runtime_t)
|
||||
|
|
@ -19,7 +19,7 @@ index ef25974..78f2b07 100644
|
|||
|
||||
type systemd_stdio_bridge_t;
|
||||
type systemd_stdio_bridge_exec_t;
|
||||
@@ -1441,6 +1442,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t)
|
||||
@@ -1500,6 +1501,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t)
|
||||
corenet_udp_bind_generic_node(systemd_resolved_t)
|
||||
corenet_udp_bind_dns_port(systemd_resolved_t)
|
||||
corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
||||
|
|
@ -27,7 +27,7 @@ index ef25974..78f2b07 100644
|
|||
|
||||
selinux_use_status_page(systemd_resolved_t)
|
||||
|
||||
@@ -1452,6 +1454,7 @@ files_list_runtime(systemd_resolved_t)
|
||||
@@ -1511,6 +1513,7 @@ files_list_runtime(systemd_resolved_t)
|
||||
|
||||
fs_getattr_all_fs(systemd_resolved_t)
|
||||
fs_search_cgroup_dirs(systemd_resolved_t)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From c1510fe7d63665ea133da3b044c2c63a9b104a02 Mon Sep 17 00:00:00 2001
|
||||
From 2f9d6906d2b7bdb58bb83f13e476c7c6c1f8f6dd Mon Sep 17 00:00:00 2001
|
||||
From: "Dustin C. Hatch" <dustin@hatch.name>
|
||||
Date: Sat, 4 Mar 2023 09:57:44 -0600
|
||||
Subject: [PATCH] mount: Allow mounting on etc_t
|
||||
|
|
@ -8,10 +8,10 @@ Subject: [PATCH] mount: Allow mounting on etc_t
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
|
||||
index d028723..f73cd29 100644
|
||||
index a90273b..05da48a 100644
|
||||
--- a/refpolicy/policy/modules/system/mount.te
|
||||
+++ b/refpolicy/policy/modules/system/mount.te
|
||||
@@ -89,6 +89,7 @@ files_manage_etc_runtime_files(mount_t)
|
||||
@@ -92,6 +92,7 @@ files_manage_etc_runtime_files(mount_t)
|
||||
files_etc_filetrans_etc_runtime(mount_t, file)
|
||||
files_mounton_all_mountpoints(mount_t)
|
||||
files_unmount_rootfs(mount_t)
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 81e1ed4da36c7638f63e78969f70d77f87fb3600 Mon Sep 17 00:00:00 2001
|
||||
From 555b08294fccf2c9462ef2e2f61ad1ae730becad Mon Sep 17 00:00:00 2001
|
||||
From: "Dustin C. Hatch" <dustin@hatch.name>
|
||||
Date: Sat, 4 Mar 2023 10:16:13 -0600
|
||||
Subject: [PATCH] kernel: Mark unlabeled_t as mount point type
|
||||
|
|
@ -8,7 +8,7 @@ Subject: [PATCH] kernel: Mark unlabeled_t as mount point type
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
|
||||
index 5124ae0..b0d7e8f 100644
|
||||
index ae6222c..c24258f 100644
|
||||
--- a/refpolicy/policy/modules/kernel/kernel.te
|
||||
+++ b/refpolicy/policy/modules/kernel/kernel.te
|
||||
@@ -267,6 +267,7 @@ allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From 552ee711eaba5d9efff087feff23b2e6f6249743 Mon Sep 17 00:00:00 2001
|
||||
From 5f86b48aabef6e2c1a7aa2fdb99a49b27d0629fe Mon Sep 17 00:00:00 2001
|
||||
From: "Dustin C. Hatch" <dustin@hatch.name>
|
||||
Date: Mon, 6 Mar 2023 12:10:19 -0600
|
||||
Subject: [PATCH] Allow systemd-journald list cgroup directories
|
||||
|
|
@ -8,7 +8,7 @@ Subject: [PATCH] Allow systemd-journald list cgroup directories
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
|
||||
index abd61e6..08f77b5 100644
|
||||
index 69b7aa4..196f3e0 100644
|
||||
--- a/refpolicy/policy/modules/system/logging.te
|
||||
+++ b/refpolicy/policy/modules/system/logging.te
|
||||
@@ -500,6 +500,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From bb58cbda2f45ee5d25b44dd256bd3de52bfcc3d8 Mon Sep 17 00:00:00 2001
|
||||
From e33a70e7f5efc37b0b12fda775dd6d805ee5c0e1 Mon Sep 17 00:00:00 2001
|
||||
From: "Dustin C. Hatch" <dustin@hatch.name>
|
||||
Date: Fri, 10 Mar 2023 12:39:41 -0600
|
||||
Subject: [PATCH] Allow systemd to create directories
|
||||
|
|
@ -11,10 +11,10 @@ settings.
|
|||
2 files changed, 32 insertions(+)
|
||||
|
||||
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
|
||||
index f7217b2..9966a21 100644
|
||||
index a895f37..9ec28ce 100644
|
||||
--- a/refpolicy/policy/modules/kernel/files.if
|
||||
+++ b/refpolicy/policy/modules/kernel/files.if
|
||||
@@ -608,6 +608,24 @@ interface(`files_manage_non_security_dirs',`
|
||||
@@ -564,6 +564,24 @@ interface(`files_manage_non_security_dirs',`
|
||||
allow $1 non_security_file_type:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
|
|
@ -40,7 +40,7 @@ index f7217b2..9966a21 100644
|
|||
## <summary>
|
||||
## Create non-security directories.
|
||||
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
|
||||
index 97a75cf..7b44a43 100644
|
||||
index 7249dd1..1ed2e45 100644
|
||||
--- a/refpolicy/policy/modules/system/init.te
|
||||
+++ b/refpolicy/policy/modules/system/init.te
|
||||
@@ -37,6 +37,13 @@ gen_tunable(init_daemons_use_tty, false)
|
||||
|
|
@ -57,7 +57,7 @@ index 97a75cf..7b44a43 100644
|
|||
attribute init_mountpoint_type;
|
||||
attribute init_path_unit_loc_type;
|
||||
attribute init_script_domain_type;
|
||||
@@ -606,6 +613,13 @@ ifdef(`init_systemd',`
|
||||
@@ -620,6 +627,13 @@ ifdef(`init_systemd',`
|
||||
unconfined_create_keys(init_t)
|
||||
unconfined_write_keys(init_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
From eb787b0e9ad66e719d7eb2d4bc942118a457d0d1 Mon Sep 17 00:00:00 2001
|
||||
From bedc00b3dd5afaa8880f263bfa7c761b1445d204 Mon Sep 17 00:00:00 2001
|
||||
From: "Dustin C. Hatch" <dustin@hatch.name>
|
||||
Date: Tue, 14 Mar 2023 13:40:23 -0500
|
||||
Subject: [PATCH] Allow init to setattr on char devices
|
||||
|
|
@ -9,10 +9,10 @@ This is required for local logins to work.
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
|
||||
index 7b44a43..bfa5d4d 100644
|
||||
index 1ed2e45..6ef0e31 100644
|
||||
--- a/refpolicy/policy/modules/system/init.te
|
||||
+++ b/refpolicy/policy/modules/system/init.te
|
||||
@@ -385,6 +385,7 @@ ifdef(`init_systemd',`
|
||||
@@ -390,6 +390,7 @@ ifdef(`init_systemd',`
|
||||
dev_create_urand_dev(init_t)
|
||||
# systemd writes to /dev/watchdog on shutdown
|
||||
dev_write_watchdog(init_t)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,33 @@
|
|||
From f497660743a219a6e54c2982529e5a57742e196a Mon Sep 17 00:00:00 2001
|
||||
From: "Dustin C. Hatch" <dustin@hatch.name>
|
||||
Date: Thu, 23 Mar 2023 09:44:02 -0500
|
||||
Subject: [PATCH] podman: Allow crun to chown stdio sockets
|
||||
|
||||
Podman (actually `crun`) fails to launch containers as systemd units
|
||||
with this error:
|
||||
|
||||
fchown std stream 1: Permission denied
|
||||
|
||||
The error is caused by this AVC denial:
|
||||
|
||||
AVC avc: denied { setattr } for pid=262 comm="crun" name="UNIX-STREAM" dev="sockfs" ino=9811 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
|
||||
---
|
||||
refpolicy/policy/modules/services/podman.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te
|
||||
index 3d16e64..d06e9f9 100644
|
||||
--- a/refpolicy/policy/modules/services/podman.te
|
||||
+++ b/refpolicy/policy/modules/services/podman.te
|
||||
@@ -71,6 +71,8 @@ ifdef(`init_systemd',`
|
||||
init_start_transient_units(podman_t)
|
||||
init_stop_transient_units(podman_t)
|
||||
|
||||
+ init_rw_stream_sockets(podman_t)
|
||||
+
|
||||
# podman can read logs from containers which are
|
||||
# sent to the system journal
|
||||
logging_search_logs(podman_t)
|
||||
--
|
||||
2.39.0
|
||||
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
From 98c85f0633912a35b5d27417fa60ad213e843f97 Mon Sep 17 00:00:00 2001
|
||||
From: "Dustin C. Hatch" <dustin@hatch.name>
|
||||
Date: Thu, 23 Mar 2023 10:45:11 -0500
|
||||
Subject: [PATCH] systemd: Allow quadlet to read container configs
|
||||
|
||||
---
|
||||
refpolicy/policy/modules/system/systemd.fc | 1 +
|
||||
refpolicy/policy/modules/system/systemd.te | 5 +++++
|
||||
2 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/refpolicy/policy/modules/system/systemd.fc b/refpolicy/policy/modules/system/systemd.fc
|
||||
index f4b5fa0..9538432 100644
|
||||
--- a/refpolicy/policy/modules/system/systemd.fc
|
||||
+++ b/refpolicy/policy/modules/system/systemd.fc
|
||||
@@ -23,6 +23,7 @@
|
||||
/usr/lib/systemd/system-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
|
||||
/usr/lib/systemd/user-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
|
||||
/usr/lib/systemd/user-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
|
||||
+/usr/libexec/podman/quadlet -- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
|
||||
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
|
||||
diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te
|
||||
index a296a7d..85157f8 100644
|
||||
--- a/refpolicy/policy/modules/system/systemd.te
|
||||
+++ b/refpolicy/policy/modules/system/systemd.te
|
||||
@@ -572,6 +572,11 @@ optional_policy(`
|
||||
zfs_read_config(systemd_generator_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ # needed by podman-system-generator
|
||||
+ container_read_config(systemd_generator_t)
|
||||
+')
|
||||
+
|
||||
#######################################
|
||||
#
|
||||
# systemd-homed policy
|
||||
--
|
||||
2.39.0
|
||||
|
||||
|
|
@ -0,0 +1 @@
|
|||
selinux-base
|
||||
Loading…
Reference in New Issue