From 23a4b9d2b1834d7adebb5be44571fe5c11c532d3 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Dec 2015 07:37:49 +0000 Subject: [PATCH] Fix up selinux policy for overlays MCS is restricting us from performing relabelfrom, and docker uses another label for the underlying files so we need to permit entrypoint from there. --- ...build => selinux-base-policy-2.20141203-r8.ebuild} | 0 .../sec-policy/selinux-base/files/mcs_create.diff | 11 ++++++----- ...03-r7.ebuild => selinux-base-2.20141203-r8.ebuild} | 0 ...ebuild => selinux-unconfined-2.20141203-r8.ebuild} | 0 .../sec-policy/selinux-virt/files/virt.diff | 4 ++-- ...03-r7.ebuild => selinux-virt-2.20141203-r8.ebuild} | 0 6 files changed, 8 insertions(+), 7 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/{selinux-base-policy-2.20141203-r7.ebuild => selinux-base-policy-2.20141203-r8.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/{selinux-base-2.20141203-r7.ebuild => selinux-base-2.20141203-r8.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/{selinux-unconfined-2.20141203-r7.ebuild => selinux-unconfined-2.20141203-r8.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/{selinux-virt-2.20141203-r7.ebuild => selinux-virt-2.20141203-r8.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r8.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r7.ebuild rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r8.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff index b8ae12ae00..64b823577d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff @@ -1,7 +1,7 @@ -diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs ---- refpolicy.orig/policy/mcs 2014-06-16 10:44:12.000000000 -0700 -+++ refpolicy/policy/mcs 2015-09-09 16:40:55.212940234 -0700 -@@ -99,14 +99,14 @@ +diff -ur work.orig/refpolicy/policy/mcs work/refpolicy/policy/mcs +--- refpolicy/policy/mcs 2015-12-18 13:41:18.655947448 +0000 ++++ refpolicy/policy/mcs 2015-12-18 13:42:40.364890957 +0000 +@@ -100,14 +100,14 @@ # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } @@ -10,7 +10,8 @@ diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } - ( h1 dom h2 ); +- ( h1 dom h2 ); ++ (( h1 dom h2 ) or (t1 == mcswriteall)); mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r8.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r7.ebuild rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r8.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r8.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r7.ebuild rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r8.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff index 54de5be8ff..28e2ab3f55 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff @@ -11,7 +11,6 @@ diff -ur refpolicy.orig/policy/modules/contrib/virt.te refpolicy/policy/modules/ + type tmpfs_t; + type var_lib_t; +} -+ +allow kernel_t svirt_lxc_net_t:process transition; +fs_manage_tmpfs_chr_files(svirt_lxc_net_t) +fs_manage_tmpfs_dirs(svirt_lxc_net_t) @@ -26,9 +25,10 @@ diff -ur refpolicy.orig/policy/modules/contrib/virt.te refpolicy/policy/modules/ +files_read_var_lib_files(svirt_lxc_net_t) +files_read_var_lib_symlinks(svirt_lxc_net_t) +term_use_generic_ptys(svirt_lxc_net_t) ++term_setattr_generic_ptys(svirt_lxc_net_t) +allow svirt_lxc_net_t tmpfs_t:chr_file { read write open }; +allow svirt_lxc_net_t self:capability sys_chroot; +allow svirt_lxc_net_t self:process getpgid; +allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton }; -+allow svirt_lxc_net_t var_lib_t:file { execute execute_no_trans }; ++allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans }; + diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r8.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r7.ebuild rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r8.ebuild