From cffb801bddf34e77fd17545b590890d952a229dc Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 17 Jan 2024 15:09:27 -0500 Subject: [PATCH 1/2] Additional rules for container_user_t Signed-off-by: Daniel J Walsh --- container.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/container.te b/container.te index 5a4e55a..51c55a5 100644 --- a/container.te +++ b/container.te @@ -1,4 +1,4 @@ -policy_module(container, 2.228.1) +policy_module(container, 2.229.0) gen_require(` class passwd rootok; @@ -1540,6 +1540,12 @@ selinux_compute_access_vector(container_user_t) systemd_dbus_chat_hostnamed(container_user_t) systemd_start_systemd_services(container_user_t) +allow container_runtime_t container_user_t:process transition; +allow container_runtime_t container_user_t:process2 nnp_transition; +allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms; + +allow container_user_t container_file_t:chr_file manage_chr_file_perms; +allow container_user_t container_file_t:file entrypoint; allow container_domain container_file_t:file entrypoint; allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read }; From c4fbc450e36439b62b824ff03fc0c32e199f1ccd Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 19 Jan 2024 06:44:41 -0500 Subject: [PATCH 2/2] Allow unconfined_r to transition to container_user_r Signed-off-by: Daniel J Walsh --- container.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/container.te b/container.te index 51c55a5..61ca5f4 100644 --- a/container.te +++ b/container.te @@ -1532,6 +1532,9 @@ role container_user_r types container_user_domain; role container_user_r types container_net_domain; role container_user_r types container_file_type; container_runtime_run(container_user_t, container_user_r) +unconfined_role_change_to(container_user_r) + +container_use_ptys(container_user_t) fs_manage_cgroup_dirs(container_user_t) fs_manage_cgroup_files(container_user_t)