Skip to content

Commit

Permalink
Merge pull request #311 from rhatdan/man
Browse files Browse the repository at this point in the history 
Update container-selinux.8 man page
  • Loading branch information
@rhatdan
rhatdan authored Jun 1, 2024
2 parents 4855815 + 4fda08e commit bdcdb7c
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 97 deletions.
1 change: 1 addition & 0 deletions container.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1476,6 +1476,7 @@ optional_policy(`
unconfined_domain(kubelet_t)
')

manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)

type kubelet_exec_t;
application_executable_file(kubelet_exec_t)
Expand Down
126 changes: 29 additions & 97 deletions container_selinux.8
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.TH "container_selinux" "8" "22-12-13" "container" "SELinux Policy container"
.TH "container_selinux" "8" "24-04-25" "container" "SELinux Policy container"
.SH "NAME"
container_selinux \- Security Enhanced Linux Policy for the container processes
.SH "DESCRIPTION"
Expand All @@ -23,7 +23,7 @@ SELinux container policy is very flexible allowing users to setup their containe
The following process types are defined for container:

.EX
.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_t
.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_user_t, container_t
.EE
.PP
Note:
Expand Down Expand Up @@ -102,6 +102,12 @@ The following port types are defined for container:
The SELinux process type container_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
.br
.B bpf_t
/sys/fs/bpf
.br
.br
.B cifs_t
Expand All @@ -122,16 +128,26 @@ The SELinux process type container_t can manage files labeled with the following
/var/srv/containers(/.*)?
.br
/var/lib/containerd/[^/]*/snapshots(/.*)?
.br
/var/lib/kubelet/pods(/.*)?
.br
/var/lib/kubernetes/pods(/.*)?
.br
/opt/local-path-provisioner(/.*)?
.br
/var/local-path-provisioner(/.*)?
.br
/var/lib/containers/storage/volumes/[^/]*/.*
.br
/var/lib/kubelet/pod-resources/kubelet.sock
.br
/home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
.br
/home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
.br
.B ecryptfs_t
/home/[^/]+/\.Private(/.*)?
.br
/home/[^/]+/\.ecryptfs(/.*)?
.br
.br
Expand All @@ -141,9 +157,7 @@ The SELinux process type container_t can manage files labeled with the following
.br
.B fusefs_t
/var/run/user/[0-9]+/gvfs
.br
/var/run/user/4003/gvfs
/run/user/[0-9]+/gvfs
.br
.br
Expand All @@ -154,38 +168,6 @@ The SELinux process type container_t can manage files labeled with the following
/usr/lib/udev/devices/hugepages
.br
.br
.B initrc_tmp_t
.br
.B mnt_t
/mnt(/[^/]*)?
.br
/mnt(/[^/]*)?
.br
/rhev(/[^/]*)?
.br
/rhev/[^/]*/.*
.br
/media(/[^/]*)?
.br
/media(/[^/]*)?
.br
/media/\.hal-.*
.br
/var/run/media(/[^/]*)?
.br
/afs
.br
/net
.br
/misc
.br
/rhev
.br
.br
.B nfs_t
Expand All @@ -209,40 +191,6 @@ The SELinux process type container_t can manage files labeled with the following
.br
/home/[^/]+/\.local/share/gnome-boxes/images(/.*)?
.br
/home/selinuxuser/\.libvirt/qemu(/.*)?
.br
/home/selinuxuser/\.cache/libvirt/qemu(/.*)?
.br
/home/selinuxuser/\.config/libvirt/qemu(/.*)?
.br
/home/selinuxuser/\.local/share/libvirt/boot(/.*)?
.br
/home/selinuxuser/\.local/share/libvirt/images(/.*)?
.br
/home/selinuxuser/\.local/share/gnome-boxes/images(/.*)?
.br
.br
.B tmp_t
/sandbox(/.*)?
.br
/tmp
.br
/usr/tmp
.br
/var/tmp
.br
/var/tmp
.br
/tmp-inst
.br
/var/tmp-inst
.br
/var/tmp/tmp-inst
.br
/var/tmp/vi\.recover
.br
.SH FILE CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Expand Down Expand Up @@ -312,29 +260,13 @@ container policy stores data with multiple different file context types under th
.B restorecon -R -v /srv/ocid
.PP
.PP
container policy stores data with multiple different file context types under the /var/run/containerd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command:
.PP
.B semanage fcontext -a -e /var/run/containerd /srv/containerd
.br
.B restorecon -R -v /srv/containerd
.PP
.PP
container policy stores data with multiple different file context types under the /var/run/docker directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command:
.PP
.B semanage fcontext -a -e /var/run/docker /srv/docker
.br
.B restorecon -R -v /srv/docker
.PP
.PP
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the container, if you wanted to
store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
.B semanage fcontext -a -t container_ro_file_t '/srv/mycontainer_content(/.*)?'
.B semanage fcontext -a -t container_var_lib_t '/srv/container/content(/.*)?'
.br
.B restorecon -R -v /srv/mycontainer_content
Expand Down Expand Up @@ -377,7 +309,7 @@ Paths:
.br
.TP 5
Paths:
/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubelet/pods(/.*)?, /var/lib/kubernetes/pods(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*, /home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubernetes/pods(/.*)?, /opt/local-path-provisioner(/.*)?, /var/local-path-provisioner(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /var/lib/kubelet/pod-resources/kubelet.sock, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
.EX
.PP
Expand Down Expand Up @@ -433,7 +365,7 @@ Paths:
.br
.TP 5
Paths:
/var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-layers(/.*)?
/var/lib/shared(/.*)?, /var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?
.EX
.PP
Expand All @@ -445,7 +377,7 @@ Paths:
.br
.TP 5
Paths:
/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/buildah, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
.EX
.PP
Expand Down Expand Up @@ -485,7 +417,7 @@ Paths:
.br
.TP 5
Paths:
/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/lib/docker-latest(/.*)?
/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/cache/containers(/.*)?, /var/lib/docker-latest(/.*)?
.EX
.PP
Expand All @@ -497,7 +429,7 @@ Paths:
.br
.TP 5
Paths:
/var/run/crio(/.*)?, /var/run/docker(/.*)?, /var/run/flannel(/.*)?, /var/run/buildkit(/.*)?, /var/run/containerd(/.*)?, /var/run/containers(/.*)?, /var/run/docker-client(/.*)?, /var/run/docker\.pid, /var/run/docker\.sock
/run/crio(/.*)?, /run/docker(/.*)?, /run/flannel(/.*)?, /run/buildkit(/.*)?, /run/containerd(/.*)?, /run/containers(/.*)?, /run/docker-client(/.*)?, /run/docker\.pid, /run/docker\.sock
.PP
Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
Expand Down Expand Up @@ -531,4 +463,4 @@ This manual page was auto-generated using
.B "sepolicy manpage".
.SH "SEE ALSO"
selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_userns_selinux(8), container_userns_selinux(8)
selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8)

1 comment on commit bdcdb7c

@packit-as-a-service
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

podman-next COPR build failed. @containers/packit-build please check.

Please sign in to comment.