mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 21:11:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

sec-policy/selinux-virt: apply flatcar changes

Browse Source 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
This commit is contained in:
Mathieu Tortuyaux 2021-06-04 17:08:45 +02:00
parent e02947a905
commit e2afa149cb
2 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch vendored Normal file
View File

@ -0,0 +1,39 @@
index 256ea58..f72fbba 100644
--- services/virt.te
+++ services/virt.te
@@ -1378,3 +1378,35 @@ sysnet_dns_name_resolve(virtlogd_t)
virt_manage_log(virtlogd_t)
virt_read_config(virtlogd_t)
+
+require {
+ type kernel_t;
+ type tmpfs_t;
+ type var_lib_t;
+}
+allow kernel_t svirt_lxc_net_t:process transition;
+allow initrc_t svirt_lxc_net_t:process transition;
+allow kernel_t svirt_lxc_net_t:process2 nnp_transition;
+fs_manage_tmpfs_chr_files(svirt_lxc_net_t)
+fs_manage_tmpfs_dirs(svirt_lxc_net_t)
+fs_manage_tmpfs_files(svirt_lxc_net_t)
+fs_manage_tmpfs_sockets(svirt_lxc_net_t)
+fs_manage_tmpfs_symlinks(svirt_lxc_net_t)
+fs_remount_tmpfs(svirt_lxc_net_t)
+kernel_read_messages(svirt_lxc_net_t)
+kernel_sigchld(svirt_lxc_net_t)
+kernel_use_fds(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process getcap;
+files_read_var_lib_files(svirt_lxc_net_t)
+files_read_var_lib_symlinks(svirt_lxc_net_t)
+term_use_generic_ptys(svirt_lxc_net_t)
+term_setattr_generic_ptys(svirt_lxc_net_t)
+allow svirt_lxc_net_t tmpfs_t:chr_file { read write open };
+allow svirt_lxc_net_t svirt_lxc_file_t:chr_file { manage_file_perms };
+allow svirt_lxc_net_t self:capability sys_chroot;
+allow svirt_lxc_net_t self:process getpgid;
+allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton };
+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
+allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append };
+

3
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild vendored
View File

@ -10,6 +10,9 @@ inherit selinux-policy-2
DESCRIPTION="SELinux policy for virt"
# flatcar changes
POLICY_PATCH="${FILESDIR}/virt.patch"
if [[ ${PV} != 9999* ]] ; then
KEYWORDS="amd64 -arm ~arm64 ~mips x86"
fi