mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-24 16:01:09 +02:00
Fix up selinux policy for overlays
MCS is restricting us from performing relabelfrom, and docker uses another label for the underlying files so we need to permit entrypoint from there.
This commit is contained in:
Matthew Garrett
parent
cdcfbf329e
commit
23a4b9d2b1
@ -1,7 +1,7 @@
|
|||||||
diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs
|
diff -ur work.orig/refpolicy/policy/mcs work/refpolicy/policy/mcs
|
||||||
--- refpolicy.orig/policy/mcs 2014-06-16 10:44:12.000000000 -0700
|
--- refpolicy/policy/mcs 2015-12-18 13:41:18.655947448 +0000
|
||||||
+++ refpolicy/policy/mcs 2015-09-09 16:40:55.212940234 -0700
|
+++ refpolicy/policy/mcs 2015-12-18 13:42:40.364890957 +0000
|
||||||
@@ -99,14 +99,14 @@
|
@@ -100,14 +100,14 @@
|
||||||
# New filesystem object labels must be dominated by the relabeling subject
|
# New filesystem object labels must be dominated by the relabeling subject
|
||||||
# clearance, also the objects are single-level.
|
# clearance, also the objects are single-level.
|
||||||
mlsconstrain file { create relabelto }
|
mlsconstrain file { create relabelto }
|
||||||
@ -10,7 +10,8 @@ diff -ur refpolicy.orig/policy/mcs refpolicy/policy/mcs
|
|||||||
|
|
||||||
# new file labels must be dominated by the relabeling subject clearance
|
# new file labels must be dominated by the relabeling subject clearance
|
||||||
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
|
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
|
||||||
( h1 dom h2 );
|
- ( h1 dom h2 );
|
||||||
|
+ (( h1 dom h2 ) or (t1 == mcswriteall));
|
||||||
|
|
||||||
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
|
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
|
||||||
- (( h1 dom h2 ) and ( l2 eq h2 ));
|
- (( h1 dom h2 ) and ( l2 eq h2 ));
|
||||||
|
|||||||
@ -11,7 +11,6 @@ diff -ur refpolicy.orig/policy/modules/contrib/virt.te refpolicy/policy/modules/
|
|||||||
+ type tmpfs_t;
|
+ type tmpfs_t;
|
||||||
+ type var_lib_t;
|
+ type var_lib_t;
|
||||||
+}
|
+}
|
||||||
+
|
|
||||||
+allow kernel_t svirt_lxc_net_t:process transition;
|
+allow kernel_t svirt_lxc_net_t:process transition;
|
||||||
+fs_manage_tmpfs_chr_files(svirt_lxc_net_t)
|
+fs_manage_tmpfs_chr_files(svirt_lxc_net_t)
|
||||||
+fs_manage_tmpfs_dirs(svirt_lxc_net_t)
|
+fs_manage_tmpfs_dirs(svirt_lxc_net_t)
|
||||||
@ -26,9 +25,10 @@ diff -ur refpolicy.orig/policy/modules/contrib/virt.te refpolicy/policy/modules/
|
|||||||
+files_read_var_lib_files(svirt_lxc_net_t)
|
+files_read_var_lib_files(svirt_lxc_net_t)
|
||||||
+files_read_var_lib_symlinks(svirt_lxc_net_t)
|
+files_read_var_lib_symlinks(svirt_lxc_net_t)
|
||||||
+term_use_generic_ptys(svirt_lxc_net_t)
|
+term_use_generic_ptys(svirt_lxc_net_t)
|
||||||
|
+term_setattr_generic_ptys(svirt_lxc_net_t)
|
||||||
+allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
|
+allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
|
||||||
+allow svirt_lxc_net_t self:capability sys_chroot;
|
+allow svirt_lxc_net_t self:capability sys_chroot;
|
||||||
+allow svirt_lxc_net_t self:process getpgid;
|
+allow svirt_lxc_net_t self:process getpgid;
|
||||||
+allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
|
+allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
|
||||||
+allow svirt_lxc_net_t var_lib_t:file { execute execute_no_trans };
|
+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
|
||||||
+
|
+
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user