mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-21 14:31:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix up selinux policy

Browse Source 
We need some additional selinux policy to get rkt working. Right now
this is a slightly rough cut - we'll tidy this up over time and ensure
that it's not overly permissive. In addition, ensure that policy is
installed in /usr rather than /etc and /var in order to allow upgrades
to work properly.
This commit is contained in:
Matthew Garrett 2015-06-26 16:53:57 -07:00
parent 07aa4a264b
commit 193ef15b91
6 changed files with 118 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff vendored Normal file
View File

@ -0,0 +1,12 @@
diff -ur refpolicy.orig/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
--- refpolicy.orig/policy/modules/kernel/kernel.te 2015-06-24 14:05:01.160318849 -0700
+++ refpolicy/policy/modules/kernel/kernel.te 2015-06-24 14:06:23.468516424 -0700
@@ -442,3 +442,8 @@
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
')
+
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+mcs_process_set_categories(kernel_t)
+

9
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild vendored
View File

@ -51,6 +51,8 @@ src_prepare() {
epatch
fi
epatch "${FILESDIR}/kernel_mcs.diff"
cd "${S}/refpolicy"
make bare
@ -134,6 +136,7 @@ src_install() {
for i in ${POLICY_TYPES}; do
cd "${S}/${i}"
make DESTDIR="${D}" install \
|| die "${i} install failed."
@ -166,6 +169,12 @@ src_install() {
insinto /etc/selinux/mcs/contexts
doins "${FILESDIR}/lxc_contexts"
mkdir -p "${D}/usr/lib/selinux"
for i in ${POLICY_TYPES}; do
mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
done
}
pkg_preinst() {

90
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff vendored Normal file
View File

@ -0,0 +1,90 @@
diff -ur policy.orig/modules/contrib/virt.te policy/modules/contrib/virt.te
--- policy.orig/modules/contrib/virt.te 2015-06-24 14:19:59.049728749 -0700
+++ policy/modules/contrib/virt.te 2015-06-24 14:21:57.426003987 -0700
@@ -1243,3 +1243,86 @@
files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file)
kernel_dontaudit_read_system_state(virt_leaseshelper_t)
+
+require {
+ type unlabeled_t;
+ type devpts_t;
+ type kernel_t;
+ type svirt_lxc_net_t;
+ type svirt_lxc_file_t;
+ type tmpfs_t;
+ type proc_t;
+ type sysfs_t;
+ type var_lib_t;
+ type init_var_run_t;
+ type sysctl_t;
+ type ptmx_t;
+ type sysctl_kernel_t;
+ type proc_kmsg_t;
+ class fifo_file { write setattr read create unlink open };
+ class process { execmem getcap transition sigchld };
+ class chr_file { setattr read create getattr mounton write ioctl open };
+ class capability { sys_chroot mknod };
+ class fd use;
+ class file { rename read lock execute_no_trans mounton ioctl unlink open append execute create write entrypoint };
+ class filesystem { unmount mount remount };
+ class sock_file { write create };
+ class lnk_file { read create };
+ class unix_stream_socket { connectto };
+ class dir { rename setattr relabelfrom create reparent mounton write remove_name relabelto add_name };
+}
+
+allow kernel_t svirt_lxc_net_t:process transition;
+allow svirt_lxc_net_t devpts_t:chr_file { write ioctl setattr read open getattr };
+allow svirt_lxc_net_t devpts_t:filesystem mount;
+allow svirt_lxc_net_t init_var_run_t:file { read open };
+allow svirt_lxc_net_t kernel_t:fd use;
+allow svirt_lxc_net_t kernel_t:process sigchld;
+allow svirt_lxc_net_t kernel_t:unix_stream_socket { connectto };
+kernel_read_messages(svirt_lxc_net_t)
+allow svirt_lxc_net_t proc_kmsg_t:file mounton;
+allow svirt_lxc_net_t proc_t:filesystem { mount remount };
+
+#!!!! The source type 'svirt_lxc_net_t' can write to a 'chr_file' of the following types:
+# svirt_lxc_file_t, user_devpts_t, zero_device_t, null_device_t, devtty_t
+
+allow svirt_lxc_net_t ptmx_t:chr_file { read write ioctl open };
+allow svirt_lxc_net_t self:capability { sys_chroot mknod };
+allow svirt_lxc_net_t self:process getcap;
+allow svirt_lxc_net_t svirt_lxc_file_t:file mounton;
+allow svirt_lxc_net_t sysctl_kernel_t:file mounton;
+allow svirt_lxc_net_t sysctl_t:dir mounton;
+allow svirt_lxc_net_t sysfs_t:dir mounton;
+allow svirt_lxc_net_t sysfs_t:filesystem mount;
+allow svirt_lxc_net_t tmpfs_t:chr_file { read write create open mounton };
+allow svirt_lxc_net_t tmpfs_t:dir { write remove_name create add_name mounton };
+
+#!!!! The source type 'svirt_lxc_net_t' can write to a 'fifo_file' of the following type:
+# svirt_lxc_file_t
+
+allow svirt_lxc_net_t tmpfs_t:fifo_file { write setattr read create unlink open };
+
+#!!!! The source type 'svirt_lxc_net_t' can write to a 'file' of the following type:
+# svirt_lxc_file_t
+
+allow svirt_lxc_net_t tmpfs_t:file { write read create unlink open };
+allow svirt_lxc_net_t tmpfs_t:filesystem { mount remount };
+allow svirt_lxc_net_t tmpfs_t:lnk_file { read create };
+allow svirt_lxc_net_t tmpfs_t:sock_file create;
+allow svirt_lxc_net_t unlabeled_t:dir mounton;
+allow svirt_lxc_net_t unlabeled_t:file { read execute open };
+allow svirt_lxc_net_t unlabeled_t:lnk_file read;
+allow svirt_lxc_net_t var_run_t:sock_file write;
+allow svirt_lxc_net_t var_lib_t:dir { rename setattr relabelfrom create reparent write relabelto remove_name add_name };
+allow svirt_lxc_net_t var_lib_t:file { rename execute read lock create execute_no_trans write entrypoint unlink open append };
+allow svirt_lxc_net_t var_lib_t:lnk_file create;
+allow svirt_lxc_net_t devpts_t:filesystem unmount;
+allow svirt_lxc_net_t proc_t:filesystem unmount;
+allow svirt_lxc_net_t self:process getpgid;
+allow svirt_lxc_net_t svirt_lxc_file_t:filesystem unmount;
+allow svirt_lxc_net_t sysfs_t:filesystem unmount;
+allow svirt_lxc_net_t tmpfs_t:chr_file ioctl;
+allow svirt_lxc_net_t tmpfs_t:filesystem unmount;
+allow svirt_lxc_net_t tmpfs_t:sock_file write;
+allow svirt_lxc_net_t var_lib_t:file ioctl;
+

2
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r5.ebuild vendored
View File

@ -10,6 +10,8 @@ inherit selinux-policy-2
DESCRIPTION="SELinux policy for virt"
POLICY_PATCH="${FILESDIR}/virt.diff"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else

2
sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/policycoreutils.conf vendored Normal file
View File

@ -0,0 +1,2 @@
d /var/lib/selinux - - - - -
L /var/lib/selinux/policy - - - - ../../usr/lib/selinux/policy

5
sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild vendored
View File

@ -155,8 +155,8 @@ src_install() {
dosym /$(get_libdir)/rc/runscript_selinux.so /$(get_libdir)/rcscripts/runscript_selinux.so
# location for policy definitions
dodir /var/lib/selinux
keepdir /var/lib/selinux
dodir /usr/lib/selinux/policy
dosym ../../usr/lib/selinux/policy /var/lib/selinux
if use python ; then
# Set version-specific scripts
@ -168,6 +168,7 @@ src_install() {
done
fi
systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/policycoreutils.conf"
dodir /usr/share/doc/${PF}/mcstrans/examples
cp -dR "${S1}"/mcstrans/share/examples/* "${D}/usr/share/doc/${PF}/mcstrans/examples"
}