* Tue Apr 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-2

- Add allow rules for container_runtime_t to base_container.cil, Podman version 1.2.0 requires new allow rules.
This commit is contained in:
Lukas Vrabec 2019-04-30 14:12:42 +02:00
parent 94598a163f
commit cc9c2dc124
No known key found for this signature in database
GPG Key ID: 47201AC42F29CE06
2 changed files with 34 additions and 1 deletions

View File

@ -0,0 +1,29 @@
From 129555625ceca2d73faf862501c10fb3ee49b473 Mon Sep 17 00:00:00 2001
From: Jan Zarsky <jzarsky@redhat.com>
Date: Tue, 30 Apr 2019 11:41:10 +0200
Subject: [PATCH] Add allow rules for container_runtime_t to base_container.cil
Podman version 1.2.0 requires new allow rules.
Fixes:
type=AVC msg=audit(1556617434.540:447): avc: denied { create } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1
type=AVC msg=audit(1556617434.541:448): avc: denied { search } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1
type=AVC msg=audit(1556617434.541:449): avc: denied { view } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1
type=AVC msg=audit(1556617434.541:450): avc: denied { setattr } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1
---
udica/templates/base_container.cil | 1 +
1 file changed, 1 insertion(+)
diff --git a/udica/templates/base_container.cil b/udica/templates/base_container.cil
index 88bb39b..ab9b776 100644
--- a/udica/templates/base_container.cil
+++ b/udica/templates/base_container.cil
@@ -5,4 +5,5 @@
(typeattributeset container_domain (process ))
(allow process proc_type (file (getattr open read)))
(allow process cpu_online_t (file (getattr open read)))
+(allow container_runtime_t process (key (create link read search setattr view write)))
)
--
2.20.1

View File

@ -1,7 +1,7 @@
Summary: A tool for generating SELinux security policies for containers Summary: A tool for generating SELinux security policies for containers
Name: udica Name: udica
Version: 0.1.5 Version: 0.1.5
Release: 1%{?dist} Release: 2%{?dist}
Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz
License: GPLv3+ License: GPLv3+
BuildArch: noarch BuildArch: noarch
@ -13,6 +13,7 @@ Requires: python3 python3-libsemanage python3-libselinux
BuildRequires: python2 python2-devel python2-setuptools BuildRequires: python2 python2-devel python2-setuptools
Requires: python2 libsemanage-python libselinux-python Requires: python2 libsemanage-python libselinux-python
%endif %endif
patch00: 0001-Add-allow-rules-for-container_runtime_t-to-base_cont.patch
%description %description
Tool for generating SELinux security profiles for containers based on Tool for generating SELinux security profiles for containers based on
@ -20,6 +21,7 @@ inspection of container JSON file.
%prep %prep
%setup -q %setup -q
%patch00 -p1
%build %build
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
@ -58,6 +60,8 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
%endif %endif
%changelog %changelog
* Tue Apr 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-2
- Add allow rules for container_runtime_t to base_container.cil, Podman version 1.2.0 requires new allow rules.
* Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-1 * Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-1
- Create mock selinux and semanage module - Create mock selinux and semanage module
- Update testing section in README - Update testing section in README