udica/0001-Add-allow-rules-for-container_runtime_t-to-base_cont.patch

From 129555625ceca2d73faf862501c10fb3ee49b473 Mon Sep 17 00:00:00 2001
From: Jan Zarsky <jzarsky@redhat.com>
Date: Tue, 30 Apr 2019 11:41:10 +0200
Subject: [PATCH] Add allow rules for container_runtime_t to base_container.cil

Podman version 1.2.0 requires new allow rules.

Fixes:
type=AVC msg=audit(1556617434.540:447): avc:  denied  { create } for  pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1
type=AVC msg=audit(1556617434.541:448): avc:  denied  { search } for  pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1
type=AVC msg=audit(1556617434.541:449): avc:  denied  { view } for  pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1
type=AVC msg=audit(1556617434.541:450): avc:  denied  { setattr } for  pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1
---
 udica/templates/base_container.cil | 1 +
 1 file changed, 1 insertion(+)

diff --git a/udica/templates/base_container.cil b/udica/templates/base_container.cil
index 88bb39b..ab9b776 100644
--- a/udica/templates/base_container.cil
+++ b/udica/templates/base_container.cil
@@ -5,4 +5,5 @@
 (typeattributeset container_domain (process ))
 (allow process proc_type (file (getattr open read)))
 (allow process cpu_online_t (file (getattr open read)))
+(allow container_runtime_t process (key (create link read search setattr view write)))
 )
-- 
2.20.1
* Tue Apr 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-2 - Add allow rules for container_runtime_t to base_container.cil, Podman version 1.2.0 requires new allow rules. 2019-04-30 12:12:42 +00:00			`From 129555625ceca2d73faf862501c10fb3ee49b473 Mon Sep 17 00:00:00 2001`
			`From: Jan Zarsky <jzarsky@redhat.com>`
			`Date: Tue, 30 Apr 2019 11:41:10 +0200`
			`Subject: [PATCH] Add allow rules for container_runtime_t to base_container.cil`

			`Podman version 1.2.0 requires new allow rules.`

			`Fixes:`
			`type=AVC msg=audit(1556617434.540:447): avc: denied { create } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1`
			`type=AVC msg=audit(1556617434.541:448): avc: denied { search } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1`
			`type=AVC msg=audit(1556617434.541:449): avc: denied { view } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1`
			`type=AVC msg=audit(1556617434.541:450): avc: denied { setattr } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1`
			`---`
			`udica/templates/base_container.cil \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/udica/templates/base_container.cil b/udica/templates/base_container.cil`
			`index 88bb39b..ab9b776 100644`
			`--- a/udica/templates/base_container.cil`
			`+++ b/udica/templates/base_container.cil`
			`@@ -5,4 +5,5 @@`
			`(typeattributeset container_domain (process ))`
			`(allow process proc_type (file (getattr open read)))`
			`(allow process cpu_online_t (file (getattr open read)))`
			`+(allow container_runtime_t process (key (create link read search setattr view write)))`
			`)`
			`--`
			`2.20.1`