Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package container-selinux for
openSUSE:Factory checked in at 2023-01-20 17:38:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/container-selinux (Old)
and /work/SRC/openSUSE:Factory/.container-selinux.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "container-selinux"
Fri Jan 20 17:38:16 2023 rev:15 rq:1059620 version:2.198.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/container-selinux/container-selinux.changes
2023-01-14 20:30:48.904893000 +0100
+++
/work/SRC/openSUSE:Factory/.container-selinux.new.32243/container-selinux.changes
2023-01-20 17:38:22.400419389 +0100
@@ -1,0 +2,27 @@
+Mon Jan 16 12:47:34 UTC 2023 - Frederic Crozat <fcro...@suse.com>
+
+- Update to version 2.198.0:
+ * Fix spc_t transition rules on tmpfs_t
+- Changes from 2.197.0:
+ * Add boolean containers_use_ecryptfs policy
+- Changes from 2.195.1:
+ * Readd missing allow rules for container_t
+- Changes from 2.194.0:
+ * Allow syslogd_t to use tmpfs files created by container runtime
+- Changes from 2.193.0:
+ * Allow containers to mount tmpfs_t file systems
+ * Label spc_t as a init initrc daemon
+ * Allow userdomains to run containers
+- Changes from 2.191.0:
+ * Create container_logwriter_t type
+- Changes from 2.190.1:
+ * Support BuildKit
+ * container.fc: Set label for kata-agent
+ * support nerdctl
+- Changes from 2.190.0:
+ * Packit: initial enablement
+ * Allow iptables to list directories labeled as container_file_t
+- Changes from 2.189.0:
+ * Dont audit searching other processes in /proc.
+
+-------------------------------------------------------------------
Old:
----
v2.188.0.tar.gz
New:
----
v2.198.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ container-selinux.spec ++++++
--- /var/tmp/diff_new_pack.AzGLNd/_old 2023-01-20 17:38:22.904422176 +0100
+++ /var/tmp/diff_new_pack.AzGLNd/_new 2023-01-20 17:38:22.908422198 +0100
@@ -26,7 +26,7 @@
# Version of SELinux we were using
%define selinux_policyver %(rpm -q selinux-policy --qf '%%{version}')
Name: container-selinux
-Version: 2.188.0
+Version: 2.198.0
Release: 0
Summary: SELinux policies for container runtimes
License: GPL-2.0-only
++++++ v2.188.0.tar.gz -> v2.198.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.188.0/.packit.sh
new/container-selinux-2.198.0/.packit.sh
--- old/container-selinux-2.188.0/.packit.sh 1970-01-01 01:00:00.000000000
+0100
+++ new/container-selinux-2.198.0/.packit.sh 2023-01-05 20:57:53.000000000
+0100
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Packit's default fix-spec-file often doesn't fetch version string correctly.
+# This script handles any custom processing of the dist-git spec file and gets
used by the
+# fix-spec-file action in .packit.yaml
+
+set -eo pipefail
+
+# Get Version from HEAD
+HEAD_VERSION=$(grep '^policy_module' container.te | sed 's/[^0-9.]//g')
+
+# Generate source tarball
+git archive --prefix=container-selinux-$HEAD_VERSION/ -o
container-selinux-$HEAD_VERSION.tar.gz HEAD
+
+# RPM Spec modifications
+
+# Fix Version
+sed -i "s/^Version:.*/Version: $HEAD_VERSION/" container-selinux.spec
+
+# Fix Release
+sed -i "s/^Release: %autorelease/Release: $PACKIT_RPMSPEC_RELEASE%{?dist}/"
container-selinux.spec
+
+# Fix Source0
+sed -i "s/^Source0:.*.tar.gz/Source0: %{name}-$HEAD_VERSION.tar.gz/"
container-selinux.spec
+
+# Fix autosetup
+sed -i "s/^%autosetup.*/%autosetup -Sgit -n %{name}-$HEAD_VERSION/"
container-selinux.spec
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.188.0/.packit.yaml
new/container-selinux-2.198.0/.packit.yaml
--- old/container-selinux-2.188.0/.packit.yaml 1970-01-01 01:00:00.000000000
+0100
+++ new/container-selinux-2.198.0/.packit.yaml 2023-01-05 20:57:53.000000000
+0100
@@ -0,0 +1,38 @@
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+upstream_package_name: container-selinux
+downstream_package_name: container-selinux
+
+jobs:
+ - job: copr_build
+ # Run on every PR
+ trigger: pull_request
+ # Defaults to x86_64 unless architecture is explicitly specified
+ targets:
+ - fedora-rawhide
+ actions:
+ post-upstream-clone:
+ - "curl -O
https://src.fedoraproject.org/rpms/container-selinux/raw/rawhide/f/container-selinux.spec";
+ fix-spec-file:
+ - bash .packit.sh
+
+ - job: copr_build
+ trigger: pull_request
+ targets:
+ - fedora-37
+ actions:
+ post-upstream-clone:
+ - "curl -O
https://src.fedoraproject.org/rpms/container-selinux/raw/f37/f/container-selinux.spec";
+ fix-spec-file:
+ - bash .packit.sh
+
+ - job: copr_build
+ trigger: pull_request
+ targets:
+ - fedora-36
+ actions:
+ post-upstream-clone:
+ - "curl -O
https://src.fedoraproject.org/rpms/container-selinux/raw/f36/f/container-selinux.spec";
+ fix-spec-file:
+ - bash .packit.sh
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.188.0/container.fc
new/container-selinux-2.198.0/container.fc
--- old/container-selinux-2.188.0/container.fc 2022-06-23 16:56:13.000000000
+0200
+++ new/container-selinux-2.198.0/container.fc 2023-01-05 20:57:53.000000000
+0100
@@ -12,6 +12,9 @@
/usr/local/s?bin/docker.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildkitd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkitd.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+
/usr/s?bin/lxc-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxd-.* --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxc --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -25,8 +28,12 @@
/usr/local/bin/conmon --
gen_context(system_u:object_r:conmon_exec_t,s0)
/usr/local/s?bin/runc --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/runc --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/buildkit-runc --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/buildkit-runc --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/crun --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/crun --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/local/s?bin/kata-agent --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kata-agent --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/container[^/]*plugin --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/rhel-push-plugin --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/sbin/rhel-push-plugin --
gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -43,10 +50,12 @@
/usr/lib/systemd/system/docker.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/lxd.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/containerd.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
+/usr/lib/systemd/system/buildkit.* --
gen_context(system_u:object_r:container_unit_file_t,s0)
/etc/docker(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
/etc/docker-latest(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
/etc/containerd(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
+/etc/buildkit(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
/etc/crio(/.*)?
gen_context(system_u:object_r:container_config_t,s0)
/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
@@ -63,8 +72,19 @@
/var/lib/docker/overlay2(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containerd(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
-/var/lib/containerd/[^/]*/snapshots(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+# The "snapshots" directory of containerd and BuildKit must be writable, as it
is used as an upperdir as well as a lowerdir.
+/var/lib/containerd/[^/]*/snapshots(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/var/lib/containerd/[^/]*/sandboxes(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/nerdctl/[^/]*/volumes(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/buildkit(/.*)?
gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/buildkit/[^/]*/snapshots(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+# "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and
"hosts.<RANDOM>", for OCI (runc) worker mode.
+/var/lib/buildkit/runc-.*/executor(/.*?)
gen_context(system_u:object_r:container_ro_file_t,s0)
+# "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and
hosts.<RANDOM>, for containerd worker mode.
+# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the
"executor" directory inside it.
+/var/lib/buildkit/containerd-.*(/.*?)
gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?
gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -120,6 +140,7 @@
/var/run/docker(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/containerd(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?
gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
+/var/run/buildkit(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker\.pid --
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker\.sock -s
gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker-client(/.*)?
gen_context(system_u:object_r:container_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.188.0/container.if
new/container-selinux-2.198.0/container.if
--- old/container-selinux-2.188.0/container.if 2022-06-23 16:56:13.000000000
+0200
+++ new/container-selinux-2.198.0/container.if 2023-01-05 20:57:53.000000000
+0100
@@ -298,11 +298,11 @@
#
interface(`container_manage_files',`
gen_require(`
- type container_files_t;
+ type container_file_t;
')
- manage_files_pattern($1, container_files_t, container_files_t)
- manage_lnk_files_pattern($1, container_files_t, container_files_t)
+ manage_files_pattern($1, container_file_t, container_file_t)
+ manage_lnk_files_pattern($1, container_file_t, container_file_t)
')
########################################
@@ -317,10 +317,10 @@
#
interface(`container_manage_dirs',`
gen_require(`
- type container_files_t;
+ type container_file_t;
')
- manage_dirs_pattern($1, container_files_t, container_files_t)
+ manage_dirs_pattern($1, container_file_t, container_file_t)
')
########################################
@@ -507,6 +507,7 @@
files_pid_filetrans($1, container_var_run_t, dir, "container-client")
files_pid_filetrans($1, container_var_run_t, dir, "docker")
files_pid_filetrans($1, container_var_run_t, dir, "containerd")
+ files_pid_filetrans($1, container_var_run_t, dir, "buildkit")
files_pid_filetrans($1, container_var_run_t, dir, "ocid")
files_pid_filetrans($1, container_var_run_t, dir, "containers")
files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers")
@@ -519,6 +520,8 @@
files_var_lib_filetrans($1, container_var_lib_t, dir, "docker-latest")
files_var_filetrans($1, container_ro_file_t, dir, "kata-containers")
files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers")
+ files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd")
+ files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file,
"config.env")
@@ -526,7 +529,11 @@
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file,
"hostname")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file,
"resolv.conf")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"sandboxes")
- filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"snapshots")
+ # The "snapshots" directory of containerd and BuildKit must be writable,
as it is used as an upperdir as well as a lowerdir.
+ #
(lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs,
+ #
upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/fs,
+ #
workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work)
+ filetrans_pattern($1, container_var_lib_t, container_file_t, dir,
"snapshots")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"init")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"overlay")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"overlay-images")
@@ -535,6 +542,24 @@
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"overlay2-images")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"overlay2-layers")
+ # "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf"
and "hosts.<RANDOM>", for OCI (runc) worker mode.
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"executor")
+
+ # "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and
hosts.<RANDOM>, for containerd worker mode.
+ # Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain
the "executor" directory inside it.
+ # Core snapshotters
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-overlayfs")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-native")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-btrfs")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-zfs")
+ # Non-core snapshotters
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-fuse-overlayfs")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-nydus")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-overlaybd")
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-stargz")
+ # Third-party snapshotters
+ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir,
"containerd-soci")
+
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-images")
filetrans_pattern($1, data_home_t, container_ro_file_t, dir,
"overlay-layers")
@@ -845,6 +870,11 @@
## Prefix for the domain.
## </summary>
## </param>
+## <param name="prefix">
+## <summary>
+## Prefix for the file type.
+## </summary>
+## </param>
#
template(`container_domain_template',`
gen_require(`
@@ -857,11 +887,57 @@
type $1_t, container_domain;
domain_type($1_t)
domain_user_exemption_target($1_t)
+
+ container_manage_files_template($1, $2)
+')
+
+
+########################################
+## <summary>
+## Manage container files template
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+## <param name="prefix">
+## <summary>
+## Prefix for the file type.
+## </summary>
+## </param>
+#
+template(`container_manage_files_template',`
+ gen_require(`
+ attribute container_domain;
+ type container_runtime_t;
+ type container_var_lib_t;
+ type container_ro_file_t;
+ ')
+
+
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
role system_r types $1_t;
kernel_read_all_proc($1_t)
+
+ allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map };
+
+ manage_files_pattern($1_t, $2_file_t, $2_file_t)
+ exec_files_pattern($1_t, $2_file_t, $2_file_t)
+ manage_lnk_files_pattern($1_t, $2_file_t, $2_file_t)
+ manage_dirs_pattern($1_t, $2_file_t, $2_file_t)
+ manage_chr_files_pattern($1_t, $2_file_t, $2_file_t)
+ allow $1_t $2_file_t:chr_file mmap_file_perms;
+ manage_blk_files_pattern($1_t, $2_file_t, $2_file_t)
+ manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t)
+ manage_sock_files_pattern($1_t, $2_file_t, $2_file_t)
+ allow $1_t $2_file_t:{file dir} mounton;
+ allow $1_t $2_file_t:filesystem { mount remount unmount };
+ allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map };
+
+ fs_tmpfs_filetrans($1_t, $2_file_t, { dir file lnk_file })
')
########################################
@@ -945,3 +1021,23 @@
files_search_pids($1)
stream_connect_pattern($1, container_var_run_t, container_var_run_t,
kubelet_t)
')
+
+#######################################
+## <summary>
+## Create a file type used for container files.
+## </summary>
+## <param name="script_file">
+## <summary>
+## Type to be used for an container file.
+## </summary>
+## </param>
+#
+interface(`container_file',`
+ gen_require(`
+ attribute container_file_type;
+ ')
+
+ typeattribute $1 container_file_type;
+ files_type($1)
+ files_mountpoint($1)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.188.0/container.te
new/container-selinux-2.198.0/container.te
--- old/container-selinux-2.188.0/container.te 2022-06-23 16:56:13.000000000
+0200
+++ new/container-selinux-2.198.0/container.te 2023-01-05 20:57:53.000000000
+0100
@@ -1,4 +1,4 @@
-policy_module(container, 2.188.0)
+policy_module(container, 2.198.0)
gen_require(`
class passwd rootok;
@@ -39,14 +39,25 @@
## </desc>
gen_tunable(container_use_cephfs, false)
+## <desc>
+## <p>
+## Determine whether container can
+## use ecrypt file system
+## </p>
+## </desc>
+gen_tunable(container_use_ecryptfs, false)
+
attribute container_runtime_domain;
container_runtime_domain_template(container_runtime)
typealias container_runtime_t alias docker_t;
+
type container_runtime_exec_t alias docker_exec_t;
can_exec(container_runtime_t,container_runtime_exec_t)
attribute container_domain;
attribute container_user_domain;
attribute container_net_domain;
+attribute container_init_domain;
+attribute container_file_type;
allow container_runtime_domain container_domain:process { dyntransition
transition };
allow container_domain container_runtime_domain:process sigchld;
allow container_runtime_domain container_domain:process2 { nnp_transition
nosuid_transition };
@@ -66,6 +77,7 @@
type spc_t, container_domain;
domain_type(spc_t)
role system_r types spc_t;
+init_initrc_domain(spc_t)
type container_auth_t alias docker_auth_t;
type container_auth_exec_t alias docker_auth_exec_t;
@@ -173,13 +185,13 @@
container_auth_stream_connect(container_runtime_domain)
-manage_files_pattern(container_runtime_domain, container_file_t,
container_file_t)
-manage_lnk_files_pattern(container_runtime_domain, container_file_t,
container_file_t)
-manage_blk_files_pattern(container_runtime_domain, container_file_t,
container_file_t)
+manage_files_pattern(container_runtime_domain, container_file_type,
container_file_type)
+manage_lnk_files_pattern(container_runtime_domain, container_file_type,
container_file_type)
+manage_blk_files_pattern(container_runtime_domain, container_file_type,
container_file_type)
allow container_runtime_domain container_domain:key manage_key_perms;
-manage_sock_files_pattern(container_runtime_domain, container_file_t,
container_file_t)
-allow container_runtime_domain container_file_t:dir_file_class_set
{relabelfrom relabelto execmod};
-allow container_runtime_domain container_file_t:dir_file_class_set
mmap_file_perms;
+manage_sock_files_pattern(container_runtime_domain, container_file_type,
container_file_type)
+allow container_runtime_domain container_file_type:dir_file_class_set
{relabelfrom relabelto execmod};
+allow container_runtime_domain container_file_type:dir_file_class_set
mmap_file_perms;
manage_files_pattern(container_runtime_domain, container_home_t,
container_home_t)
manage_dirs_pattern(container_runtime_domain, container_home_t,
container_home_t)
@@ -370,6 +382,12 @@
optional_policy(`
iptables_domtrans(container_runtime_domain)
+
+ container_read_pid_files(iptables_t)
+ container_read_state(iptables_t)
+ container_append_file(iptables_t)
+ allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
+ allow iptables_t container_file_type:dir list_dir_perms;
')
optional_policy(`
@@ -513,10 +531,6 @@
allow container_domain cifs_t:file execmod;
')
-gen_require(`
- type cephfs_t;
-')
-
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(container_domain)
fs_manage_nfs_files(container_domain)
@@ -528,6 +542,10 @@
allow container_domain nfs_t:file execmod;
')
+gen_require(`
+ type cephfs_t;
+')
+
tunable_policy(`container_use_cephfs',`
manage_files_pattern(container_domain, cephfs_t, cephfs_t)
manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t)
@@ -536,6 +554,18 @@
allow container_domain cephfs_t:file execmod;
')
+gen_require(`
+ type ecryptfs_t;
+')
+
+tunable_policy(`container_use_ecryptfs',`
+ manage_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
+ manage_lnk_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
+ manage_dirs_pattern(container_domain, ecryptfs_t, ecryptfs_t)
+ exec_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
+ allow container_domain ecryptfs_t:file execmod;
+')
+
fs_manage_fusefs_named_sockets(container_runtime_domain)
fs_manage_fusefs_dirs(container_runtime_domain)
fs_manage_fusefs_files(container_runtime_domain)
@@ -556,7 +586,6 @@
container_spc_stream_connect(container_domain)
fs_dontaudit_remount_tmpfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
- allow container_domain container_file_t:dir_file_class_set { relabelfrom
relabelto map };
')
optional_policy(`
@@ -657,6 +686,7 @@
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
+fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
allow container_runtime_domain spc_t:process2 nnp_transition;
admin_pattern(spc_t, kubernetes_file_t)
@@ -768,8 +798,13 @@
# typealias container_t alias svirt_lxc_net_t;
gen_require(`
type container_t;
+ type container_file_t;
')
+container_manage_files_template(container, container)
+
+typeattribute container_file_t container_file_type;
typeattribute container_t container_domain, container_net_domain,
container_user_domain;
+allow container_user_domain self:process getattr;
allow container_domain { container_var_lib_t container_ro_file_t
container_file_t }:file entrypoint;
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms
map };
@@ -810,19 +845,7 @@
fs_rw_onload_sockets(container_domain)
fs_fusefs_entrypoint(container_domain)
-manage_files_pattern(container_domain, container_file_t, container_file_t)
-exec_files_pattern(container_domain, container_file_t, container_file_t)
-manage_lnk_files_pattern(container_domain, container_file_t, container_file_t)
-manage_dirs_pattern(container_domain, container_file_t, container_file_t)
-manage_chr_files_pattern(container_domain, container_file_t, container_file_t)
-allow container_domain container_file_t:chr_file mmap_file_perms;
-manage_blk_files_pattern(container_domain, container_file_t, container_file_t)
-manage_fifo_files_pattern(container_domain, container_file_t, container_file_t)
-manage_sock_files_pattern(container_domain, container_file_t, container_file_t)
-allow container_domain container_file_t:{file dir} mounton;
-allow container_domain container_file_t:filesystem { mount remount unmount };
-fs_tmpfs_filetrans(container_domain, container_file_t, { dir file lnk_file })
-allow container_domain container_file_t:dir_file_class_set { relabelfrom
relabelto map };
+
container_read_share_files(container_domain)
container_exec_share_files(container_domain)
container_use_ptys(container_domain)
@@ -830,6 +853,7 @@
fs_dontaudit_remount_tmpfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
+fs_mount_tmpfs(container_domain)
dontaudit container_domain container_runtime_tmpfs_t:dir read;
allow container_domain container_runtime_tmpfs_t:dir mounton;
@@ -889,6 +913,7 @@
domain_user_exemption_target(container_t)
domain_dontaudit_link_all_domains_keyrings(container_domain)
domain_dontaudit_search_all_domains_keyrings(container_domain)
+domain_dontaudit_search_all_domains_state(container_domain)
virt_sandbox_net_domain(container_t)
@@ -1050,14 +1075,6 @@
allow container_domain self:cap_userns mknod;
')
-gen_require(`
- type iptables_t;
-')
-container_read_pid_files(iptables_t)
-container_read_state(iptables_t)
-container_append_file(iptables_t)
-allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
-
optional_policy(`
gen_require(`
role unconfined_r;
@@ -1087,7 +1104,7 @@
#
# container_userns_t policy
#
-container_domain_template(container_userns)
+container_domain_template(container_userns, container)
typeattribute container_userns_t sandbox_net_domain, container_user_domain;
dev_mount_sysfs_fs(container_userns_t)
@@ -1098,8 +1115,6 @@
fs_remount_cgroup(container_userns_t)
kernel_mount_proc(container_userns_t)
-kernel_mount_proc(container_userns_t)
-kernel_mounton_proc(container_userns_t)
kernel_mounton_proc(container_userns_t)
term_use_generic_ptys(container_userns_t)
@@ -1133,7 +1148,7 @@
')
# Container Logreader
-container_domain_template(container_logreader)
+container_domain_template(container_logreader, container)
typeattribute container_logreader_t container_net_domain;
logging_read_all_logs(container_logreader_t)
# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges
@@ -1141,12 +1156,14 @@
logging_read_audit_log(container_logreader_t)
logging_list_logs(container_logreader_t)
-tunable_policy(`virt_sandbox_use_all_caps',`
- allow container_logreader_t self:capability ~{ sys_module };
- allow container_logreader_t self:capability2 ~{ mac_override mac_admin
};
- allow container_logreader_t self:cap_userns ~{ sys_module };
- allow container_logreader_t self:cap2_userns ~{ mac_override mac_admin
};
-')
+# Container Logwriter
+container_domain_template(container_logwriter, container)
+typeattribute container_logwriter_t container_net_domain;
+logging_read_all_logs(container_logwriter_t)
+manage_files_pattern(container_logwriter_t, logfile, logfile)
+manage_dirs_pattern(container_logwriter_t, logfile, logfile)
+manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
+logging_manage_audit_log(container_logwriter_t)
optional_policy(`
gen_require(`
@@ -1155,6 +1172,11 @@
attribute userdomain;
')
+ can_exec(userdomain, container_runtime_exec_t)
+ container_manage_files(userdomain)
+ container_manage_share_dirs(userdomain)
+ container_manage_share_files(userdomain)
+
allow userdomain conmon_exec_t:file entrypoint;
container_runtime_run(sysadm_t, sysadm_r)
role sysadm_r types container_domain;
@@ -1163,6 +1185,9 @@
container_runtime_run(staff_t, staff_r)
role staff_r types container_user_domain;
+ allow userdomain self:cap_userns ~{ sys_module };
+ container_read_state(userdomain)
+ allow userdomain container_runtime_t:process { noatsecure rlimitinh
siginh };
container_runtime_run(user_t, user_r)
role user_r types container_user_domain;
@@ -1194,7 +1219,7 @@
allow container_t proc_t:filesystem remount;
# Container kvm - Policy for running kata containers
-container_domain_template(container_kvm)
+container_domain_template(container_kvm, container)
typeattribute container_kvm_t container_net_domain, container_user_domain;
type container_kvm_var_run_t;
@@ -1247,21 +1272,21 @@
sssd_read_public_files(container_kvm_t)
# Container init - Policy for running systemd based containers
-container_domain_template(container_init)
-typeattribute container_init_t container_net_domain, container_user_domain;
+container_domain_template(container_init, container)
+typeattribute container_init_t container_init_domain, container_net_domain,
container_user_domain;
corenet_unconfined(container_init_t)
-dev_mounton_sysfs(container_init_t)
+dev_mounton_sysfs(container_init_domain)
-fs_mounton_cgroup(container_init_t)
-fs_unmount_cgroup(container_init_t)
-fs_manage_cgroup_dirs(container_init_t)
-fs_manage_cgroup_files(container_init_t)
+fs_mounton_cgroup(container_init_domain)
+fs_unmount_cgroup(container_init_domain)
+fs_manage_cgroup_dirs(container_init_domain)
+fs_manage_cgroup_files(container_init_domain)
logging_send_syslog_msg(container_init_t)
-allow container_init_t proc_t:filesystem remount;
+allow container_init_domain proc_t:filesystem remount;
optional_policy(`
virt_default_capabilities(container_init_t)
@@ -1277,11 +1302,11 @@
allow container_init_t self:cap_userns sys_admin;
')
-allow container_init_t self:netlink_audit_socket nlmsg_relay;
+allow container_init_domain self:netlink_audit_socket nlmsg_relay;
# container_engine_t is for running a container engine within a container
#
-container_domain_template(container_engine)
+container_domain_template(container_engine, container)
typeattribute container_engine_t container_net_domain;
fs_mounton_cgroup(container_engine_t)
@@ -1346,21 +1371,30 @@
')
# Standard container which needs to be allowed to use any device
-container_domain_template(container_device)
+container_domain_template(container_device, container)
allow container_device_t device_node:chr_file rw_chr_file_perms;
# Standard container which needs to be allowed to use any device and
# communicate with kubelet
-container_domain_template(container_device_plugin)
+container_domain_template(container_device_plugin, container)
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)
# Standard container which needs to be allowed to use any device and
# modify kubelet configuration
-container_domain_template(container_device_plugin_init)
+container_domain_template(container_device_plugin_init, container)
allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_init_t)
manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t,
kubernetes_file_t)
manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t,
kubernetes_file_t)
manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t,
kubernetes_file_t)
+
+optional_policy(`
+ gen_require(`
+ type syslogd_t;
+ ')
+
+ allow syslogd_t container_runtime_tmpfs_t:file { read write };
+ logging_send_syslog_msg(container_runtime_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/container-selinux-2.188.0/container_selinux.8
new/container-selinux-2.198.0/container_selinux.8
--- old/container-selinux-2.188.0/container_selinux.8 2022-06-23
16:56:13.000000000 +0200
+++ new/container-selinux-2.198.0/container_selinux.8 2023-01-05
20:57:53.000000000 +0100
@@ -1,4 +1,4 @@
-.TH "container_selinux" "8" "20-03-23" "container" "SELinux Policy
container"
+.TH "container_selinux" "8" "22-12-13" "container" "SELinux Policy
container"
.SH "NAME"
container_selinux \- Security Enhanced Linux Policy for the container processes
.SH "DESCRIPTION"
@@ -23,7 +23,7 @@
The following process types are defined for container:
.EX
-.B container_runtime_t, container_auth_t, container_userns_t,
container_logreader_t, container_kvm_t, container_t
+.B container_runtime_t, container_auth_t, container_userns_t,
container_logreader_t, container_logwriter_t, container_kvm_t,
container_init_t, container_engine_t, container_device_t,
container_device_plugin_t, container_device_plugin_init_t, container_t
.EE
.PP
Note:
@@ -103,6 +103,10 @@
The SELinux process type container_t can manage files labeled with the
following file types. The paths listed are the default paths for these file
types. Note the processes UID still need to have DAC permissions.
.br
+.B cifs_t
+
+
+.br
.B container_file_t
/srv/containers(/.*)?
@@ -111,12 +115,24 @@
.br
/var/lib/rkt/cas(/.*)?
.br
+ /var/lib/nerdctl/[^/]*/volumes(/.*)?
+.br
+ /var/lib/buildkit/[^/]*/snapshots(/.*)?
+.br
/var/srv/containers(/.*)?
.br
+ /var/lib/containerd/[^/]*/snapshots(/.*)?
+.br
+ /var/lib/kubelet/pods(/.*)?
+.br
/var/lib/kubernetes/pods(/.*)?
.br
/var/lib/containers/storage/volumes/[^/]*/.*
.br
+ /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
+.br
+ /home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
+.br
.br
.B fs_t
@@ -125,7 +141,9 @@
.br
.B fusefs_t
- /var/run/user/[^/]*/gvfs
+ /var/run/user/[0-9]+/gvfs
+.br
+ /var/run/user/4003/gvfs
.br
.br
@@ -137,6 +155,42 @@
.br
.br
+.B initrc_tmp_t
+
+
+.br
+.B mnt_t
+
+ /mnt(/[^/]*)?
+.br
+ /mnt(/[^/]*)?
+.br
+ /rhev(/[^/]*)?
+.br
+ /rhev/[^/]*/.*
+.br
+ /media(/[^/]*)?
+.br
+ /media(/[^/]*)?
+.br
+ /media/\.hal-.*
+.br
+ /var/run/media(/[^/]*)?
+.br
+ /afs
+.br
+ /net
+.br
+ /misc
+.br
+ /rhev
+.br
+
+.br
+.B nfs_t
+
+
+.br
.B onload_fs_t
@@ -155,6 +209,40 @@
.br
/home/[^/]+/\.local/share/gnome-boxes/images(/.*)?
.br
+ /home/selinuxuser/\.libvirt/qemu(/.*)?
+.br
+ /home/selinuxuser/\.cache/libvirt/qemu(/.*)?
+.br
+ /home/selinuxuser/\.config/libvirt/qemu(/.*)?
+.br
+ /home/selinuxuser/\.local/share/libvirt/boot(/.*)?
+.br
+ /home/selinuxuser/\.local/share/libvirt/images(/.*)?
+.br
+ /home/selinuxuser/\.local/share/gnome-boxes/images(/.*)?
+.br
+
+.br
+.B tmp_t
+
+ /sandbox(/.*)?
+.br
+ /tmp
+.br
+ /usr/tmp
+.br
+ /var/tmp
+.br
+ /var/tmp
+.br
+ /tmp-inst
+.br
+ /var/tmp-inst
+.br
+ /var/tmp/tmp-inst
+.br
+ /var/tmp/vi\.recover
+.br
.SH FILE CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
@@ -169,6 +257,22 @@
.B EQUIVALENCE DIRECTORIES
.PP
+container policy stores data with multiple different file context types under
the /var/lib/buildkit directory. If you would like to store the data in a
different directory you can use the semanage command to create an equivalence
mapping. If you wanted to store this data under the /srv directory you would
execute the following command:
+.PP
+.B semanage fcontext -a -e /var/lib/buildkit /srv/buildkit
+.br
+.B restorecon -R -v /srv/buildkit
+.PP
+
+.PP
+container policy stores data with multiple different file context types under
the /var/lib/containerd directory. If you would like to store the data in a
different directory you can use the semanage command to create an equivalence
mapping. If you wanted to store this data under the /srv directory you would
execute the following command:
+.PP
+.B semanage fcontext -a -e /var/lib/containerd /srv/containerd
+.br
+.B restorecon -R -v /srv/containerd
+.PP
+
+.PP
container policy stores data with multiple different file context types under
the /var/lib/containers directory. If you would like to store the data in a
different directory you can use the semanage command to create an equivalence
mapping. If you wanted to store this data under the /srv directory you would
execute the following command:
.PP
.B semanage fcontext -a -e /var/lib/containers /srv/containers
@@ -185,6 +289,22 @@
.PP
.PP
+container policy stores data with multiple different file context types under
the /var/lib/kubelet directory. If you would like to store the data in a
different directory you can use the semanage command to create an equivalence
mapping. If you wanted to store this data under the /srv directory you would
execute the following command:
+.PP
+.B semanage fcontext -a -e /var/lib/kubelet /srv/kubelet
+.br
+.B restorecon -R -v /srv/kubelet
+.PP
+
+.PP
+container policy stores data with multiple different file context types under
the /var/lib/nerdctl directory. If you would like to store the data in a
different directory you can use the semanage command to create an equivalence
mapping. If you wanted to store this data under the /srv directory you would
execute the following command:
+.PP
+.B semanage fcontext -a -e /var/lib/nerdctl /srv/nerdctl
+.br
+.B restorecon -R -v /srv/nerdctl
+.PP
+
+.PP
container policy stores data with multiple different file context types under
the /var/lib/ocid directory. If you would like to store the data in a
different directory you can use the semanage command to create an equivalence
mapping. If you wanted to store this data under the /srv directory you would
execute the following command:
.PP
.B semanage fcontext -a -e /var/lib/ocid /srv/ocid
@@ -193,6 +313,14 @@
.PP
.PP
+container policy stores data with multiple different file context types under
the /var/run/containerd directory. If you would like to store the data in a
different directory you can use the semanage command to create an equivalence
mapping. If you wanted to store this data under the /srv directory you would
execute the following command:
+.PP
+.B semanage fcontext -a -e /var/run/containerd /srv/containerd
+.br
+.B restorecon -R -v /srv/containerd
+.PP
+
+.PP
container policy stores data with multiple different file context types under
the /var/run/docker directory. If you would like to store the data in a
different directory you can use the semanage command to create an equivalence
mapping. If you wanted to store this data under the /srv directory you would
execute the following command:
.PP
.B semanage fcontext -a -e /var/run/docker /srv/docker
@@ -204,7 +332,7 @@
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the container, if you wanted to
-store files with these types in a diffent paths, you need to execute the
semanage command to sepecify alternate labeling and then use restorecon to put
the labels on disk.
+store files with these types in a diffent paths, you need to execute the
semanage command to specify alternate labeling and then use restorecon to put
the labels on disk.
.B semanage fcontext -a -t container_ro_file_t '/srv/mycontainer_content(/.*)?'
.br
@@ -225,7 +353,7 @@
.br
.TP 5
Paths:
-/usr/bin/docker-novolume-plugin, /usr/lib/docker/docker-novolume-plugin
+/usr/s?bin/docker-novolume-plugin, /usr/lib/docker/docker-novolume-plugin
.EX
.PP
@@ -237,7 +365,7 @@
.br
.TP 5
Paths:
-/etc/crio(/.*)?, /etc/docker(/.*)?, /etc/docker-latest(/.*)?
+/etc/crio(/.*)?, /etc/docker(/.*)?, /etc/buildkit(/.*)?,
/etc/containerd(/.*)?, /etc/docker-latest(/.*)?
.EX
.PP
@@ -249,7 +377,7 @@
.br
.TP 5
Paths:
-/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?,
/var/srv/containers(/.*)?, /var/lib/kubernetes/pods(/.*)?,
/var/lib/containers/storage/volumes/[^/]*/.*
+/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?,
/var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?,
/var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?,
/var/lib/kubelet/pods(/.*)?, /var/lib/kubernetes/pods(/.*)?,
/var/lib/containers/storage/volumes/[^/]*/.*,
/home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*,
/home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
.EX
.PP
@@ -261,6 +389,14 @@
.EX
.PP
+.B container_kvm_var_run_t
+.EE
+
+- Set files with the container_kvm_var_run_t type, if you want to store the
container kvm files under the /run or /var/run directory.
+
+
+.EX
+.PP
.B container_lock_t
.EE
@@ -277,7 +413,7 @@
.br
.TP 5
Paths:
-/var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/lib/docker/containers/.*/.*\.log,
/var/lib/docker-latest/containers/.*/.*\.log
+/var/log/lxc(/.*)?, /var/log/lxd(/.*)?, /var/log/pods(/.*)?,
/var/log/containers(/.*)?, /var/lib/docker/containers/.*/.*\.log,
/var/lib/docker-latest/containers/.*/.*\.log
.EX
.PP
@@ -297,7 +433,7 @@
.br
.TP 5
Paths:
-/var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?,
/var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?,
/var/lib/docker-latest/.*/config\.env, /var/lib/docker/overlay2(/.*)?,
/var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?,
/var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname,
/var/lib/containers/overlay2(/.*)?, /var/lib/docker-latest/overlay(/.*)?,
/var/lib/docker-latest/overlay2(/.*)?,
/var/lib/containers/overlay-images(/.*)?,
/var/lib/containers/overlay-layers(/.*)?,
/var/lib/docker-latest/containers/.*/hosts,
/var/lib/docker-latest/containers/.*/hostname,
/var/lib/containers/overlay2-images(/.*)?,
/var/lib/containers/overlay2-layers(/.*)?,
/var/lib/containers/storage/overlay(/.*)?,
/var/lib/containers/storage/overlay2(/.*)?,
/var/lib/containers/storage/overlay-images(/.*)?,
/var/lib/containers/storage/overlay-layers(/.*)?,
/var/lib/containers/storage/overlay2-images(/.*)?,
/var/lib/containers/storage/overlay2-layers(/
.*)?
+/var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env,
/var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?,
/var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?,
/var/lib/docker-latest/.*/config\.env,
/var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?,
/var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?,
/var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?,
/var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname,
/var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?),
/var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?,
/var/lib/containers/overlay-images(/.*)?,
/var/lib/containers/overlay-layers(/.*)?,
/var/lib/docker-latest/containers/.*/hosts,
/var/lib/docker-latest/containers/.*/hostname,
/var/lib/containers/overlay2-images(/.*)?,
/var/lib/containers/overlay2-layers(/.*)?,
/var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storag
e/overlay2(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?,
/var/lib/containers/storage/overlay-layers(/.*)?,
/var/lib/containers/storage/overlay2-images(/.*)?,
/var/lib/containers/storage/overlay2-layers(/.*)?,
/home/[^/]+/\.local/share/containers/storage/overlay(/.*)?,
/home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?,
/home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?,
/home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?,
/home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?,
/home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?,
/home/selinuxuser/\.local/share/containers/storage/overlay(/.*)?,
/home/selinuxuser/\.local/share/containers/storage/overlay2(/.*)?,
/home/selinuxuser/\.local/share/containers/storage/overlay-images(/.*)?,
/home/selinuxuser/\.local/share/containers/storage/overlay-layers(/.*)?,
/home/selinuxuser/\.local/share/containers/storage/overlay2-images(/.*)?,
/home/selinuxuser/\.local/share/c
ontainers/storage/overlay2-layers(/.*)?
.EX
.PP
@@ -309,7 +445,7 @@
.br
.TP 5
Paths:
-/usr/bin/crio.*, /usr/bin/lxc-.*, /usr/bin/lxd-.*, /usr/bin/ocid.*,
/usr/sbin/crio.*, /usr/sbin/ocid.*, /usr/bin/docker.*,
/usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*,
/usr/bin/container[^/]*plugin, /usr/bin/containerd.*, /usr/local/bin/crio.*,
/usr/libexec/docker/.*, /usr/local/sbin/crio.*, /usr/libexec/docker/docker.*,
/usr/bin/lxc, /usr/bin/lxd, /usr/bin/crun, /usr/bin/runc, /usr/sbin/runc,
/usr/bin/podman, /usr/bin/fuidshift, /usr/local/bin/crun, /usr/local/bin/runc,
/usr/local/bin/podman, /usr/bin/docker-latest, /usr/bin/docker-current,
/usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
+/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc,
/usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*,
/usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent,
/usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc,
/usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun,
/usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*,
/usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*,
/usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc,
/usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*,
/usr/bin/container[^/]*plugin, /usr/libexec/docker/.*,
/usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*,
/usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*,
/usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin,
/usr/sbin/rhel-push-plugin
.EX
.PP
@@ -337,7 +473,7 @@
.br
.TP 5
Paths:
-/usr/lib/systemd/system/lxd.*, /usr/lib/systemd/system/docker.*,
/usr/lib/systemd/system/containerd.*
+/usr/lib/systemd/system/lxd.*, /usr/lib/systemd/system/docker.*,
/usr/lib/systemd/system/buildkit.*, /usr/lib/systemd/system/containerd.*
.EX
.PP
@@ -349,7 +485,7 @@
.br
.TP 5
Paths:
-/exports(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/ocid(/.*)?,
/var/lib/docker(/.*)?, /var/lib/registry(/.*)?, /var/lib/containers(/.*)?,
/var/lib/docker-latest(/.*)?
+/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?,
/var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?,
/var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?,
/var/lib/containers(/.*)?, /var/lib/docker-latest(/.*)?
.EX
.PP
@@ -361,7 +497,7 @@
.br
.TP 5
Paths:
-/var/run/crio(/.*)?, /var/run/docker(/.*)?, /var/run/containerd(/.*)?,
/var/run/containers(/.*)?, /var/run/docker-client(/.*)?, /var/run/docker\.pid,
/var/run/docker\.sock
+/var/run/crio(/.*)?, /var/run/docker(/.*)?, /var/run/flannel(/.*)?,
/var/run/buildkit(/.*)?, /var/run/containerd(/.*)?, /var/run/containers(/.*)?,
/var/run/docker-client(/.*)?, /var/run/docker\.pid, /var/run/docker\.sock
.PP
Note: File context can be temporarily modified with the chcon command. If you
want to permanently change the file context you need to use the
@@ -395,4 +531,4 @@
.B "sepolicy manpage".
.SH "SEE ALSO"
-selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
setsebool(8), container_auth_selinux(8), container_auth_selinux(8),
container_kvm_selinux(8), container_kvm_selinux(8),
container_logreader_selinux(8), container_logreader_selinux(8),
container_runtime_selinux(8), container_runtime_selinux(8),
container_userns_selinux(8), container_userns_selinux(8)
\ No newline at end of file
+selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
setsebool(8), container_auth_selinux(8), container_auth_selinux(8),
container_device_selinux(8), container_device_selinux(8),
container_device_plugin_selinux(8), container_device_plugin_selinux(8),
container_device_plugin_init_selinux(8),
container_device_plugin_init_selinux(8), container_engine_selinux(8),
container_engine_selinux(8), container_init_selinux(8),
container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8),
container_logreader_selinux(8), container_logreader_selinux(8),
container_logwriter_selinux(8), container_logwriter_selinux(8),
container_runtime_selinux(8), container_runtime_selinux(8),
container_userns_selinux(8), container_userns_selinux(8)
\ No newline at end of file
