From 5b3643784bc2edef690fbd971305e68528f17876 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 18 Apr 2022 15:15:34 +0000 Subject: [PATCH 04/35] Add compatibility for container-selinux MSFT_TAG: Not upstreamable --- policy/modules/services/container.if | 337 ++++++++++++++++++++ policy/modules/services/container_compat.fc | 1 + policy/modules/services/container_compat.if | 1 + policy/modules/services/container_compat.te | 202 ++++++++++++ 4 files changed, 541 insertions(+) create mode 100644 policy/modules/services/container_compat.fc create mode 100644 policy/modules/services/container_compat.if create mode 100644 policy/modules/services/container_compat.te diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 16b146022..86aff4734 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -847,6 +847,65 @@ interface(`container_manage_dirs',` manage_dirs_pattern($1, container_file_t, container_file_t) ') +######################################## +## +## Allow the specified domain to +## relabel from and to container file directory type. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_relabel_dirs',` + gen_require(` + type container_file_t; + ') + + relabel_dirs_pattern($1, container_file_t, container_file_t) +') + +######################################## +## +## Allow the specified domain to mmap executable +## container files with text relocations. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_textrel_mmap_exec_files',` + gen_require(` + type container_file_t; + ') + + mmap_exec_files_pattern($1, container_file_t, container_file_t) + allow $1 container_file_t:file execmod; +') + +######################################## +## +## Allow the specified domain to execute +## container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_exec_files',` + gen_require(` + type container_file_t; + ') + + can_exec($1, container_file_t) +') + + ######################################## ## ## Allow the specified domain to @@ -866,6 +925,44 @@ interface(`container_manage_files',` manage_files_pattern($1, container_file_t, container_file_t) ') +######################################## +## +## Allow the specified domain to +## relabel from and to container file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_relabel_files',` + gen_require(` + type container_file_t; + ') + + relabel_files_pattern($1, container_file_t, container_file_t) +') + +######################################## +## +## Allow the specified domain to use container files +## as an entrypoint. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_file_entrypoint',` + gen_require(` + type container_file_t; + ') + + allow $1 container_file_t:file entrypoint; +') + ######################################## ## ## Allow the specified domain to @@ -923,6 +1020,44 @@ interface(`container_manage_sock_files',` manage_sock_files_pattern($1, container_file_t, container_file_t) ') +######################################## +## +## Allow the specified domain to set +## the attributes of container block files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_setattr_blk_files',` + gen_require(` + type container_file_t; + ') + + allow $1 container_file_t:blk_file setattr; +') + +######################################## +## +## Allow the specified domain to read +## and write container block files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_rw_blk_files',` + gen_require(` + type container_file_t; + ') + + allow $1 container_file_t:blk_file rw_blk_file_perms; +') + ######################################## ## ## Allow the specified domain to read @@ -980,6 +1115,102 @@ interface(`container_manage_chr_files',` manage_chr_files_pattern($1, container_file_t, container_file_t) ') +######################################## +## +## Allow the specified domain to +## list read-only container file directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_list_ro_dirs',` + gen_require(` + type container_ro_file_t; + ') + + list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) +') + +######################################## +## +## Allow the specified domain to +## read read-only container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_ro_files',` + gen_require(` + type container_ro_file_t; + ') + + read_files_pattern($1, container_ro_file_t, container_ro_file_t) +') + +######################################## +## +## Allow the specified domain to mmap executable +## read-only container files with text relocations. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_textrel_mmap_exec_ro_files',` + gen_require(` + type container_ro_file_t; + ') + + mmap_exec_files_pattern($1, container_ro_file_t, container_ro_file_t) + allow $1 container_ro_file_t:file execmod; +') + +######################################## +## +## Allow the specified domain to execute +## read-only container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_exec_ro_files',` + gen_require(` + type container_ro_file_t; + ') + + can_exec($1, container_ro_file_t) +') + +######################################## +## +## Allow the specified domain to +## read read-only container symlinks. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_ro_symlinks',` + gen_require(` + type container_ro_file_t; + ') + + read_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) +') + ######################################## ## ## Allow the specified domain to @@ -1408,6 +1639,25 @@ interface(`container_search_var_lib',` allow $1 container_var_lib_t:dir search_dir_perms; ') +######################################## +## +## Allow the specified domain to read +## container files in /var/lib. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_var_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + read_files_pattern($1, container_var_lib_t, container_var_lib_t) +') + ######################################## ## ## Allow the specified domain to manage @@ -1465,6 +1715,37 @@ interface(`container_manage_var_lib_sock_files',` manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t) ') +######################################## +## +## Allow the specified domain to create +## objects in container /var/lib directories with +## an automatic type transition to the +## specified type +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`container_var_lib_filetrans',` + gen_require(` + type container_var_lib_t; + ') + + filetrans_pattern($1, container_var_lib_t, $2, $3, $4) +') + ######################################## ## ## Allow the specified domain to create @@ -1518,6 +1799,62 @@ interface(`container_start_units',` allow $1 container_unit_t:service start; ') +######################################## +## +## Write pipes inherited from dockerd. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_write_inherited_dockerd_pipes',` + gen_require(` + type dockerd_t; + ') + + allow $1 dockerd_t:fd use; + allow $1 dockerd_t:fifo_file write_inherited_file_perms; +') + +######################################## +## +## Connect to privileged containers using an abstract stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_abstract_connect_privileged',` + gen_require(` + type spc_t; + ') + + allow $1 spc_t:unix_stream_socket connectto; +') + +######################################## +## +## Write pipes inherited from privileged containers. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_write_inherited_privileged_pipes',` + gen_require(` + type spc_t; + ') + + allow $1 spc_t:fd use; + allow $1 spc_t:fifo_file write_inherited_file_perms; +') + ######################################## ## ## All of the rules required to diff --git a/policy/modules/services/container_compat.fc b/policy/modules/services/container_compat.fc new file mode 100644 index 000000000..4a06a34d0 --- /dev/null +++ b/policy/modules/services/container_compat.fc @@ -0,0 +1 @@ +# No file contexts for this module. diff --git a/policy/modules/services/container_compat.if b/policy/modules/services/container_compat.if new file mode 100644 index 000000000..0afc9662b --- /dev/null +++ b/policy/modules/services/container_compat.if @@ -0,0 +1 @@ +## Compatibility policy for container-selinux. diff --git a/policy/modules/services/container_compat.te b/policy/modules/services/container_compat.te new file mode 100644 index 000000000..945d86562 --- /dev/null +++ b/policy/modules/services/container_compat.te @@ -0,0 +1,202 @@ +policy_module(container_compat) + +gen_require(` + class passwd rootok; +') + +# kubevirt expects these attributes in the policy module it deploys +attribute sandbox_net_domain; +attribute svirt_sandbox_domain; + +######################################## +# +# sandbox_net_domain local policy +# +# This is derived from the Fedora SELinux policy, +# revised for Reference Policy types and interfaces. + +kernel_read_network_state(sandbox_net_domain) + +allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service }; +allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service }; + +allow sandbox_net_domain self:udp_socket create_socket_perms; +allow sandbox_net_domain self:tcp_socket create_stream_socket_perms; +allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms; +allow sandbox_net_domain self:packet_socket create_socket_perms; +allow sandbox_net_domain self:socket create_socket_perms; +allow sandbox_net_domain self:rawip_socket create_stream_socket_perms; +allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms; + +corenet_tcp_bind_generic_node(sandbox_net_domain) +corenet_udp_bind_generic_node(sandbox_net_domain) +corenet_raw_bind_generic_node(sandbox_net_domain) +corenet_udp_bind_all_ports(sandbox_net_domain) +corenet_tcp_bind_all_ports(sandbox_net_domain) +corenet_tcp_connect_all_ports(sandbox_net_domain) + +optional_policy(` + sssd_stream_connect(sandbox_net_domain) +') + +optional_policy(` + systemd_dbus_chat_logind(sandbox_net_domain) +') + +######################################## +# +# svirt_sandbox_domain local policy +# +# This is derived from the Fedora SELinux policy, +# revised for Reference Policy types and interfaces. + +allow svirt_sandbox_domain self:key manage_key_perms; +dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; + +allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow svirt_sandbox_domain self:fifo_file manage_file_perms; +allow svirt_sandbox_domain self:msg all_msg_perms; +allow svirt_sandbox_domain self:sem create_sem_perms; +allow svirt_sandbox_domain self:shm create_shm_perms; +allow svirt_sandbox_domain self:msgq create_msgq_perms; +allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow svirt_sandbox_domain self:passwd rootok; +allow svirt_sandbox_domain self:filesystem associate; +allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_list_all_proc(svirt_sandbox_domain) +kernel_read_all_sysctls(svirt_sandbox_domain) +kernel_rw_net_sysctls(svirt_sandbox_domain) +kernel_rw_unix_sysctls(svirt_sandbox_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) +#kernel_dontaudit_access_check_proc(svirt_sandbox_domain) +#kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) +kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain) +#kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain) + +corecmd_exec_all_executables(svirt_sandbox_domain) + +#domain_dontaudit_link_all_domains_keyrings(svirt_sandbox_domain) +#domain_dontaudit_search_all_domains_keyrings(svirt_sandbox_domain) + +files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) +files_dontaudit_getattr_all_files(svirt_sandbox_domain) +files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) +files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) +files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) +files_search_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) + +#files_entrypoint_all_mountpoint(svirt_sandbox_domain) +#corecmd_entrypoint_all_executables(svirt_sandbox_domain) + +files_search_all(svirt_sandbox_domain) +files_read_usr_symlinks(svirt_sandbox_domain) +files_search_locks(svirt_sandbox_domain) +#files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) +#fs_rw_cephfs_files(svirt_sandbox_domain) + +fs_getattr_all_fs(svirt_sandbox_domain) +#fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) +#fs_read_hugetlbfs_files(svirt_sandbox_domain) +fs_read_tmpfs_symlinks(svirt_sandbox_domain) +fs_search_tmpfs(svirt_sandbox_domain) +fs_rw_hugetlbfs_files(svirt_sandbox_domain) + +#auth_dontaudit_read_passwd(svirt_sandbox_domain) +auth_dontaudit_read_login_records(svirt_sandbox_domain) +auth_dontaudit_write_login_records(svirt_sandbox_domain) +auth_search_pam_console_data(svirt_sandbox_domain) + +#init_dontaudit_read_utmp(svirt_sandbox_domain) +init_dontaudit_write_utmp(svirt_sandbox_domain) + +libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) + +#miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) +miscfiles_read_fonts(svirt_sandbox_domain) +miscfiles_read_hwdata(svirt_sandbox_domain) + +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +#userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +#userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_sandbox_domain) + fs_manage_nfs_files(svirt_sandbox_domain) + fs_manage_nfs_named_sockets(svirt_sandbox_domain) + fs_manage_nfs_symlinks(svirt_sandbox_domain) + fs_mount_nfs(svirt_sandbox_domain) + fs_unmount_nfs(svirt_sandbox_domain) + fs_exec_nfs_files(svirt_sandbox_domain) + kernel_rw_fs_sysctls(svirt_sandbox_domain) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(svirt_sandbox_domain) + fs_manage_cifs_dirs(svirt_sandbox_domain) + fs_manage_cifs_named_sockets(svirt_sandbox_domain) + fs_manage_cifs_symlinks(svirt_sandbox_domain) + fs_exec_cifs_files(svirt_sandbox_domain) +') + +optional_policy(` + tunable_policy(`virt_sandbox_share_apache_content',` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) + ') +') + +optional_policy(` + allow svirt_sandbox_domain self:capability { audit_write chown fowner fsetid sys_nice }; + allow svirt_sandbox_domain self:netlink_audit_socket { create read write }; + + dev_read_sysfs(svirt_sandbox_domain) + dev_getattr_mtrr_dev(svirt_sandbox_domain) + #dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) + + fs_read_cgroup_files(svirt_sandbox_domain) + #fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) + + container_list_ro_dirs(svirt_sandbox_domain) + container_read_ro_files(svirt_sandbox_domain) + container_read_ro_symlinks(svirt_sandbox_domain) + container_textrel_mmap_exec_ro_files(svirt_sandbox_domain) + container_exec_ro_files(svirt_sandbox_domain) + + container_manage_dirs(svirt_sandbox_domain) + container_manage_files(svirt_sandbox_domain) + container_textrel_mmap_exec_files(svirt_sandbox_domain) + container_exec_files(svirt_sandbox_domain) + container_manage_lnk_files(svirt_sandbox_domain) + container_manage_sock_files(svirt_sandbox_domain) + container_manage_fifo_files(svirt_sandbox_domain) + container_setattr_blk_files(svirt_sandbox_domain) + container_rw_blk_files(svirt_sandbox_domain) + container_relabel_dirs(svirt_sandbox_domain) + container_relabel_files(svirt_sandbox_domain) + container_var_lib_filetrans(svirt_sandbox_domain, container_file_t, sock_file) + + #allow svirt_sandbox_domain container_file_t:dir mounton; + #allow svirt_sandbox_domain container_file_t:filesystem { getattr remount }; + + container_use_container_ptys(svirt_sandbox_domain) + container_file_entrypoint(svirt_sandbox_domain) + container_read_var_lib_files(svirt_sandbox_domain) + container_write_inherited_dockerd_pipes(svirt_sandbox_domain) + container_abstract_connect_privileged(svirt_sandbox_domain) + container_write_inherited_privileged_pipes(svirt_sandbox_domain) + + allow spc_t svirt_sandbox_domain:process transition; +') + +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + +optional_policy(` + udev_read_runtime_files(svirt_sandbox_domain) +') -- 2.34.1