-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathos-podman.te
60 lines (50 loc) · 2.14 KB
/
os-podman.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
policy_module(os-podman, 1.0)
gen_require(`
attribute container_domain;
attribute container_runtime_domain;
type container_t;
type container_file_t;
type container_log_t;
type openvswitch_t;
type puppet_etc_t;
type cluster_var_log_t;
type init_t;
type swift_data_t;
type swift_var_cache_t;
type fixed_disk_device_t;
class blk_file getattr;
')
#============= container_t ==============
miscfiles_read_generic_certs(container_t)
openvswitch_stream_connect(container_t)
# for posterity: read_files_pattern includes dir accesses
read_files_pattern(container_t, puppet_etc_t, puppet_etc_t)
read_lnk_files_pattern(container_t, puppet_etc_t, puppet_etc_t)
# but read_files_pattern does not allow "read" on tclass=dir
allow container_t puppet_etc_t:dir { read };
# bugzilla #1772025
allow openvswitch_t container_file_t:dir create;
manage_files_pattern(openvswitch_t, container_file_t, container_file_t)
manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t)
# Bugzilla 1778793
allow openvswitch_t self:capability { net_broadcast fowner fsetid };
# needed for HA containers
manage_files_pattern(container_t, cluster_var_log_t, cluster_var_log_t);
manage_dirs_pattern(container_t, cluster_var_log_t, cluster_var_log_t);
# Needed for LP#1853652
allow init_t container_file_t:file { execute execute_no_trans };
# Bugzilla 1926765. See also container-selinux commit 448dfb
allow container_domain container_runtime_domain:process sigchld;
# Bugzilla 1941922 + 1941412
manage_files_pattern(container_t, swift_data_t, swift_data_t);
manage_dirs_pattern(container_t, swift_data_t, swift_data_t);
# Bugzilla 2013194
manage_files_pattern(container_t, swift_var_cache_t, swift_var_cache_t);
manage_dirs_pattern(container_t, swift_var_cache_t, swift_var_cache_t);
# LP 1944539
allow container_t fixed_disk_device_t:blk_file getattr;
# Bugzilla 2020210
manage_files_pattern(container_t, container_log_t, container_log_t);
manage_dirs_pattern(container_t, container_log_t, container_log_t);
# Bugzilla 2091076
manage_sock_files_pattern(init_t, container_file_t, container_file_t);