From d6580cfdf4937cf3ecc13d4568ddaf0b67c1bc0e Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 26 Mar 2023 12:13:09 -0500 Subject: [PATCH] SELinux: Allow Podman to relabel any file The default SELinux policy for Podman only allows it to relabel certain files, such as `user_home_t`, to `container_file_t`. This effectively precludes mounting arbitrary directories from `/var` into containers. --- .../sec-policy/selinux-aimee-os/files/aimee-os.te | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te index 2b7e1c0..822ecb8 100644 --- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te +++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te @@ -238,3 +238,12 @@ gen_require(` type sysadm_t; ') init_use_fds(sysadm_t) + +# Allow podman to relabel any file (to container_file_t) +optional_policy(` + gen_require(` + type podman_t; + ') + files_relabel_non_security_dirs(podman_t) + files_relabel_non_security_files(podman_t) +')