feat: add back cil files without references to container-selinux (#25)

RoyalOughtness · secureblue-bot · commit f56dabda67ca · 2025-12-08T02:42:12.000Z
diff --git a/cil/grant_fm_userns.cil b/cil/grant_fm_userns.cil
@@ -0,0 +1,7 @@
+(typeattribute file_manager_type)
+(typeattributeset file_manager_type (nautilus_t thunar_t))
+
+(typeattribute file_manager_exec_type)
+(typeattributeset file_manager_exec_type (nautilus_exec_t thunar_exec_t))
+
+(allow file_manager_type self (user_namespace (create)))
diff --git a/cil/grant_systemd_flatpak_exec.cil b/cil/grant_systemd_flatpak_exec.cil
@@ -0,0 +1,5 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(allow init_t flatpak_exec_t (file (execute execute_no_trans open read map)))
diff --git a/cil/grant_userns.cil b/cil/grant_userns.cil
@@ -0,0 +1,6 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(allow colord_t self (user_namespace (create)))
+(allow devicekit_power_t self (user_namespace (create)))
diff --git a/cil/harden_userns.cil b/cil/harden_userns.cil
@@ -0,0 +1,6 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(deny userdomain self (user_namespace (create)))
+(deny unconfined_service_t self (user_namespace (create)))
diff --git a/cil/unbreak_thunar_thumbs.cil b/cil/unbreak_thunar_thumbs.cil
@@ -0,0 +1,3 @@
+(allow thumb_t tmp_t (dir (mounton)))
+(allow thumb_t tmpfs_t (filesystem (mount unmount)))
+(allow thumb_t devpts_t (filesystem (mount)))
diff --git a/cil/userns_deny_unconfined_relabels.cil b/cil/userns_deny_unconfined_relabels.cil
@@ -0,0 +1,19 @@
+;; SPDX-FileCopyrightText 2025 The Secureblue Authors
+;;
+;; SPDX-License-Identifier: Apache-2.0 OR MIT
+
+(typeattribute userns_privileged_file_type)
+(typeattributeset userns_privileged_file_type (colord_exec_t devicekit_power_exec_t docker_exec_t file_manager_exec_type flatpak_exec_t kubelet_exec_t systemsettings_exec_t trivalent_exec_t trivalent_script_exec_t))
+
+(typeattribute userns_relabel_allowed)
+(typeattributeset userns_relabel_allowed (init_t initrc_t install_t kernel_t))
+
+(typeattribute userns_relabel_restricted)
+(typeattributeset userns_relabel_restricted (and (domain) (not (userns_relabel_allowed))))
+
+(deny userns_relabel_restricted userns_privileged_file_type (blk_file (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (chr_file (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (dir (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (fifo_file (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (file (relabelfrom relabelto)))
+(deny userns_relabel_restricted userns_privileged_file_type (lnk_file (relabelfrom relabelto)))

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+(allow thumb_t tmp_t (dir (mounton)))`
	`2`	`+(allow thumb_t tmpfs_t (filesystem (mount unmount)))`
	`3`	`+(allow thumb_t devpts_t (filesystem (mount)))`