mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-01 20:01:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

sec-policy/selinux-virt: Allow setattr on devpts ptys and grant pipefs access

Browse Source 
Policy was blocking the modification of attributes on devpts ptys, making it
impossible to enter a rkt container interactively. Fix that. In addition,
pipefs access is being blocked which makes Docker unhappy. Fix that too.
This commit is contained in:
Matthew Garrett 2016-05-23 16:08:14 -07:00
parent 70060e867d
commit 6dc592af52
5 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r10.ebuild → sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r11.ebuild vendored
View File

0
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r10.ebuild → sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r11.ebuild vendored
View File

0
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r10.ebuild → sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-unconfined/selinux-unconfined-2.20141203-r11.ebuild vendored
View File

4
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.diff vendored
View File

@ -1,7 +1,7 @@
diff -u contrib.orig/virt.te contrib/virt.te diff -u contrib.orig/virt.te contrib/virt.te
--- modules/contrib.orig/virt.te 2016-02-20 13:18:44.670955920 -0800 --- modules/contrib.orig/virt.te 2016-02-20 13:18:44.670955920 -0800
+++ modules/contrib/virt.te 2016-02-20 13:22:24.186318856 -0800 +++ modules/contrib/virt.te 2016-02-20 13:22:24.186318856 -0800
@@ -1299,3 +1299,30 @@ @@ -1299,3 +1299,32 @@
virt_append_log(virtlockd_t) virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t) virt_read_config(virtlockd_t)
@ -27,8 +27,10 @@ diff -u contrib.orig/virt.te contrib/virt.te
+term_use_generic_ptys(svirt_lxc_net_t) +term_use_generic_ptys(svirt_lxc_net_t)
+term_setattr_generic_ptys(svirt_lxc_net_t) +term_setattr_generic_ptys(svirt_lxc_net_t)
+allow svirt_lxc_net_t tmpfs_t:chr_file { read write open }; +allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
+allow svirt_lxc_net_t svirt_lxc_file_t:chr_file { setattr };
+allow svirt_lxc_net_t self:capability sys_chroot; +allow svirt_lxc_net_t self:capability sys_chroot;
+allow svirt_lxc_net_t self:process getpgid; +allow svirt_lxc_net_t self:process getpgid;
+allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton }; +allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans }; +allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
+allow svirt_lxc_net_t kernel_t:fifo_file {read write open };
+ +

0
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r10.ebuild → sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20141203-r11.ebuild vendored
View File