[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Jason Zaman]

commit:     25276f575f723fb140c1bd889771da4b7f529f09
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr  2 19:45:37 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25276f57

container: add separate type for container engine units

and add a filecon for container units themselves.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.fc | 5 +++--
 policy/modules/services/container.te | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/container.fc 
b/policy/modules/services/container.fc
index 63f1537d..540df680 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -21,8 +21,9 @@ HOME_DIR/\.local/share/docker/volumes(/.*)?           
gen_context(system_u:object_r:conta
 /usr/bin/crun  --      
gen_context(system_u:object_r:container_engine_exec_t,s0)
 /usr/bin/runc  --      
gen_context(system_u:object_r:container_engine_exec_t,s0)
 
-/usr/lib/systemd/system/docker.*       --      
gen_context(system_u:object_r:container_unit_t,s0)
-/usr/lib/systemd/system/containerd.*   --      
gen_context(system_u:object_r:container_unit_t,s0)
+/usr/lib/systemd/system/docker.*       --      
gen_context(system_u:object_r:container_engine_unit_t,s0)
+/usr/lib/systemd/system/containerd.*   --      
gen_context(system_u:object_r:container_engine_unit_t,s0)
+/usr/lib/systemd/system/container-.*   --      
gen_context(system_u:object_r:container_unit_t,s0)
 
 /usr/sbin/runc --      
gen_context(system_u:object_r:container_engine_exec_t,s0)
 

diff --git a/policy/modules/services/container.te 
b/policy/modules/services/container.te
index 166a42ae..09fa6635 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -97,6 +97,9 @@ role system_r types spc_t;
 type spc_user_t, container_domain, container_net_domain, 
container_user_domain, privileged_container_domain;
 domain_type(spc_user_t)
 
+type container_engine_unit_t;
+init_unit_file(container_engine_unit_t)
+
 type container_unit_t;
 init_unit_file(container_unit_t)