From 56fe16a60790f6911aef52f2b2b175899bbf74df Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 10 Oct 2023 09:15:08 -0400 Subject: [PATCH 1/2] Allow container domains to use container_runtime_tmpfs_t as an entrypoint Signed-off-by: Daniel J Walsh --- container.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/container.te b/container.te index 12e9cf5..4b9a72d 100644 --- a/container.te +++ b/container.te @@ -751,7 +751,7 @@ tunable_policy(`container_connect_any',` # # spc local policy # -allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint; +allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; role system_r types spc_t; domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) @@ -884,7 +884,7 @@ container_manage_files_template(container, container) typeattribute container_file_t container_file_type, user_home_type; typeattribute container_t container_domain, container_net_domain, container_user_domain; allow container_user_domain self:process getattr; -allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint; +allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint; allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms; allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map }; allow container_domain container_runtime_t:unix_dgram_socket sendto; From 4b384f0a49d1d09e7e42090e7e450acad47c434c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 10 Oct 2023 13:44:57 -0400 Subject: [PATCH 2/2] Allow container domains to ptrace themselves Signed-off-by: Daniel J Walsh --- container.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/container.te b/container.te index 4b9a72d..a05c516 100644 --- a/container.te +++ b/container.te @@ -1544,3 +1544,8 @@ allow container_domain fusefs_t:file { append create entrypoint execmod execute corecmd_entrypoint_all_executables(container_kvm_t) allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; allow svirt_sandbox_domain mountpoint:file entrypoint; + +tunable_policy(`deny_ptrace',`',` + allow container_domain self:process ptrace; + allow spc_t self:process ptrace; +')