Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

container_engine_t: another round of small improvements #327

Merged
merged 1 commit into from
Sep 18, 2024
Merged

container_engine_t: another round of small improvements #327

merged 1 commit into from
Sep 18, 2024

Conversation

haircommander
Copy link
Contributor

No description provided.

@rhatdan
Copy link
Member

rhatdan commented Sep 12, 2024

LGTM

@haircommander
Copy link
Contributor Author

added one more piece PTAL @rhatdan

rhatdan
rhatdan reviewed Sep 14, 2024
View reviewed changes
container.te Outdated
@@ -1450,11 +1450,13 @@ allow container_engine_t sysctl_t:{dir file} mounton;
allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
allow container_engine_t fusefs_t:file relabelto;
allow container_engine_t kernel_t:system module_request;
allow container_engine_t null_device_t:chr_file mounton;
allow container_engine_t null_device_t:chr_file { mounton setattr };
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };

rhatdan
rhatdan reviewed Sep 14, 2024
View reviewed changes
container.te Outdated
allow container_engine_t random_device_t:chr_file mounton;
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
allow container_engine_t urandom_device_t:chr_file mounton;
allow container_engine_t zero_device_t:chr_file mounton;
allow container_engine_t container_file_t:sock_file mounton;
allow container_engine_t container_runtime_tmpfs_t:dir ioctl;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

allow container_engine_t container_runtime_tmpfs_t:dir list_dir_perms;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AVCs often come in pairs and show up later in testing or use, so it is always better to be a little less tight.

@haircommander
container_engine_t: another round of small improvements
ff1d5ee 
Signed-off-by: Peter Hunt <pehunt@redhat.com>
@haircommander
Copy link
Contributor Author

updated! PTAL

@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@packit-as-a-service Packit-as-a-Service
Copy link

Tests failed. @containers/packit-build please check.

@rhatdan
Copy link
Member

rhatdan commented Sep 16, 2024

LGTM

@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@packit-as-a-service Packit-as-a-Service
Copy link

Tests failed. @containers/packit-build please check.

@lsm5
Copy link
Member

lsm5 commented Sep 16, 2024

problem is at https://pagure.io/fedora-infrastructure/issue/12183

@lsm5
Copy link
Member

lsm5 commented Sep 16, 2024

/packit build
/packit test

Ignore f41 and rawhide for now. I guess f39 can be ignored too unless it's critical

@lsm5
Copy link
Member

lsm5 commented Sep 16, 2024
edited
Loading

problem is at https://pagure.io/fedora-infrastructure/issue/12183

I removed f41 and rawhide tests from the status check list for now. Feel free to remove others if those are blocking on unrelated issues.

@packit-as-a-service Packit-as-a-Service
Copy link

Ephemeral COPR build failed. @containers/packit-build please check.

@packit-as-a-service Packit-as-a-Service
Copy link

Tests failed. @containers/packit-build please check.

@lsm5
Copy link
Member

lsm5 commented Sep 17, 2024

The test failures are because of f39 and el9 disablement on podman-next copr . I'm disabling those targets in #330

@haircommander
Copy link
Contributor Author

@rhatdan good to merge?

@lsm5 lsm5 mentioned this pull request Sep 17, 2024
Merged
lsm5
lsm5 approved these changes Sep 18, 2024
View reviewed changes
Copy link
Member

@lsm5 lsm5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lsm5 lsm5 merged commit bf1c37e into containers:main Sep 18, 2024
15 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhatdan rhatdan rhatdan left review comments

@lsm5 lsm5 lsm5 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@haircommander @rhatdan @lsm5