rpms/container-selinux
6
0
Fork 0
Code Issues Pull Requests Releases Activity
316 Commits 27 Branches 132 Tags 606 KiB
a9e3755912
Commit Graph

316 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Daniel J Walsh
37b78d28ce Add rules for container domains to make writing custom policy easier 
Allow shell_exec_t as a container_runtime_t entrypoint
 2018-03-14 09:39:06 -04:00
Daniel J Walsh
69afd19c0a Add rules for container domains to make writing custom policy easier 2018-03-08 14:33:17 +00:00
Daniel J Walsh
b658aee2f1 Allow shell_exec_t as a container_runtime_t entrypoint 2018-03-08 07:54:07 +00:00
Daniel J Walsh
5a5bf66b86 Allow bin_t as a container_runtime_t entrypoint 
Add rules for running container runtimes on mls
 2018-03-07 05:59:10 +00:00
Daniel J Walsh
9a7a65d0b5 Allow container domains to map container_file_t directories 2018-02-15 12:55:50 -05:00
Daniel J Walsh
f8193b5e32 Change default label of /exports to container_var_lib_t 2018-02-10 07:18:48 -05:00
Igor Gnatenko
a7071bc06f
Escape macros in %changelog 
Reference: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Y2ZUKK2B7T2IKXPMODNF6HB2O5T5TS6H/
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
 2018-02-09 09:04:17 +01:00
Fedora Release Engineering
07b6801caf - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2018-02-07 05:40:38 +00:00
Daniel J Walsh
3b45b2783a Add support for nosuid_transition flags for container_runtime and unconfined domains 2018-02-03 06:17:13 -05:00
Daniel J Walsh
1b20654010 Allow containers to sendto their own stream sockets 2018-02-02 13:40:54 -05:00
Daniel J Walsh
5b2867045c Allow container domains to read kernel ipc info 2018-01-29 06:58:52 +01:00
Daniel J Walsh
a7ce3135c2 Allow containers to memory map the fifo_files leaked into container from 
container runtimes.
 2018-01-22 09:40:35 -05:00
Daniel J Walsh
a4c374a14d Allow unconfined domains to transition to container types, when no-new-privs is set. 2018-01-16 13:56:33 -05:00
Daniel J Walsh
15578313e4 Add support to nnp_transition for container domains 
Eliminates need for typebounds.
 2018-01-09 11:47:20 -05:00
Daniel J Walsh
a8518096d5 Allow container_runtime_t to use user ttys 
Fixes bounds check for container_t
 2018-01-09 09:30:05 -05:00
Daniel J Walsh
64fe9d8cb1 Allow container runtimes to use interited terminals. This helps 
satisfy the bounds check of container_t versus container_runtime_t.
 2018-01-08 08:41:05 -05:00
Daniel J Walsh
98e715e396 Allow container runtimes to mmap container_file_t devices 
Add labeling for rhel push plugin
 2018-01-06 07:34:20 -05:00
Daniel J Walsh
aaa91fd2cc Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/container-selinux 2017-12-12 13:11:36 +00:00
Daniel J Walsh
e0502dafa3 Allow containers to use inherited ttys 
Allow ostree to handle labels under /var/lib/containers/ostree
 2017-12-12 13:11:14 +00:00
Lokesh Mandvekar
0ce8700159
remove git from builddep 
can't find git in the module ecosystem and git isn't critical for
package build.

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
 2017-12-03 21:38:21 -05:00
Daniel J Walsh
7f79cfab64 Allow containers to relabelto/from all file types to container_file_t 2017-11-27 14:57:52 +00:00
Daniel J Walsh
751a4e3fee Allow container to map chr_files labeled container_file_t 2017-11-27 14:43:49 +00:00
Daniel J Walsh
8ed545a6c5 Allow container to map chr_files labeled container_file_t 2017-11-27 13:21:48 +00:00
Daniel J Walsh
4e9b7c333a Dontaudit container processes getattr on kernel file systems 2017-11-22 15:35:20 +00:00
Daniel J Walsh
cc32bab0b3 Allow containers to read /etc/resolv.conf and /etc/hosts if volume 
mounted into container.
 2017-11-19 11:41:27 +00:00
Daniel J Walsh
be0a39a792 Make sure users creating content in /var/lib with right labels 2017-11-08 21:10:33 +00:00
Daniel J Walsh
31963a3bb5 Allow the container runtime to dbus chat with dnsmasq 
add dontaudit rules for container trying to write to /proc
 2017-10-26 11:38:02 +00:00
Daniel J Walsh
b99f18b8ce Add support for lxcd 
Add support for labeling of tmpfs storage created within a container.
 2017-10-10 16:17:55 +00:00
Daniel J Walsh
ecb1760cbb Allow a container to umount a container_file_t filesystem 2017-10-09 13:29:39 +00:00
Daniel J Walsh
5a61b6808a Allow container runtimes to work with the netfilter sockets 
Allow container_file_t to be an entrypoint for VM's
 Allow spc_t domains to transition to svirt_t
 2017-10-04 09:10:48 +00:00
Daniel J Walsh
c6e706af6d Make sure container_runtime_t has all access of container_t 2017-09-22 11:08:40 +00:00
Daniel J Walsh
652d659338 Allow container runtimes to create sockets in tmp dirs 2017-09-07 09:01:16 +00:00
Daniel J Walsh
b74f4a298b Allow container runtimes to create sockets in tmp dirs 2017-09-07 08:43:48 +00:00
Daniel J Walsh
1aad223080 Add additonal support for crio labeling. 2017-09-05 20:40:09 +00:00
Troy Dawson
9a3633bb6b Fixup spec file conditionals 2017-08-14 13:16:08 -07:00
Fedora Release Engineering
5cb66e7ed3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-26 05:26:19 +00:00
Daniel J Walsh
bb6875d358 Allow containers to execmod on container_share_t files. 2017-07-11 17:36:41 +00:00
Daniel J Walsh
852a09a52f Relabel runc and crio executables 2017-07-06 10:47:14 +00:00
Daniel J Walsh
ef7772c664 Allow container processes to getsession 2017-06-30 15:53:25 +00:00
Daniel J Walsh
fbb3cfcf9a Allow containers to create tun sockets 2017-06-12 18:13:46 +00:00
Daniel J Walsh
f7112ead8f Fix labeling for CRI-O files in overlay subdirs 2017-06-06 19:46:53 +00:00
Daniel J Walsh
35b5399d15 Fix labeling for CRI-O files in overlay subdirs 2017-06-06 19:28:56 +00:00
Daniel J Walsh
590defb1b5 Revert change to run the container_runtime as ranged 2017-06-05 20:10:25 +00:00
Daniel J Walsh
4868764a43 Add default labeling for cri-o in /etc/crio directories 2017-06-01 21:47:32 +00:00
Daniel J Walsh
379ddc4b04 Allow container types to read/write container_runtime fifo files 
Allow a container runtime to mount on top of its own /proc
 2017-05-31 12:28:03 +00:00
Dan Walsh
1b640cb851 Add labels for crio rename 
Break container_t rules out to use a separate container_domain
Allow containers to be able to set namespaced SYCTLS
Allow sandbox containers manage fuse files.
Fixes to make container_runtimes work on MLS machines
Bump version to allow handling of container_file_t filesystems
Allow containers to mount, remount and umount container_file_t file systems
Fixes to handle cap_userns
Give container_t access to XFRM sockets
Allow spc_t to dbus chat with init system
Allow spc_t to dbus chat with init system
Add rules to allow container runtimes to run with unconfined disabled
Add rules to support cgroup file systems mounted into container.
Fix typebounds entrypoint problems
Fix typebounds problems
Add typebounds statement for container_t from container_runtime_t
We should only label runc not runc*
 2017-05-19 07:21:02 -04:00
Dan Walsh
ed21ef74dc Add labels for crio rename 
Break container_t rules out to use a separate container_domain
Allow containers to be able to set namespaced SYCTLS
Allow sandbox containers manage fuse files.
Fixes to make container_runtimes work on MLS machines
Bump version to allow handling of container_file_t filesystems
Allow containers to mount, remount and umount container_file_t file systems
Fixes to handle cap_userns
Give container_t access to XFRM sockets
Allow spc_t to dbus chat with init system
Allow spc_t to dbus chat with init system
Add rules to allow container runtimes to run with unconfined disabled
Add rules to support cgroup file systems mounted into container.
Fix typebounds entrypoint problems
Fix typebounds problems
Add typebounds statement for container_t from container_runtime_t
We should only label runc not runc*
 2017-05-19 07:19:44 -04:00
Daniel J Walsh
d6c9f15f16 Add rules to allow container runtimes to run with unconfined disabled 
Add rules to support cgroup file systems mounted into container.
 2017-02-28 13:47:46 -05:00
Daniel J Walsh
068028a20c Add rules to allow container_runtimes to run with unconfined disabled 2017-02-13 06:36:05 -08:00
Daniel J Walsh
4e04f9adef Add rules to allow container_runtimes to run with unconfined disabled 2017-02-13 05:33:06 -08:00