mirror of
https://github.com/containers/udica
synced 2024-05-11 23:46:11 +02:00
Move policy templates to container-selinux repo
Move udica policy templates to container-selinux package so that administrators can deploy udica-generated policies on OpenShift nodes without installing udica everywhere. Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This commit is contained in:
Vit Mojzis
parent
09bf6b339f
commit
aa3561d4de
|
|
@ -8,6 +8,7 @@ RUN dnf update --disableplugin=subscription-manager -y && \
|
|||
|
||||
# Install dependencies
|
||||
RUN dnf install --disableplugin=subscription-manager -y \
|
||||
container-selinux \
|
||||
python3 \
|
||||
python3-setools \
|
||||
systemd-devel \
|
||||
|
|
|
|||
9
setup.py
9
setup.py
|
|
@ -37,15 +37,6 @@ setuptools.setup(
|
|||
data_files=[
|
||||
("/usr/share/licenses/udica", ["LICENSE"]),
|
||||
("/usr/share/udica/ansible", ["udica/ansible/deploy-module.yml"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/base_container.cil"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/config_container.cil"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/home_container.cil"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/log_container.cil"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/net_container.cil"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/tmp_container.cil"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/tty_container.cil"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/virt_container.cil"]),
|
||||
("/usr/share/udica/templates", ["udica/templates/x_container.cil"]),
|
||||
],
|
||||
# scripts=["bin/udica"],
|
||||
entry_points={"console_scripts": ["udica=udica.__main__:main"]},
|
||||
|
|
|
|||
|
|
@ -421,6 +421,11 @@ def write_policy_for_podman_mounts(mounts, policy):
|
|||
|
||||
def load_policy(opts):
|
||||
PWD = getcwd()
|
||||
|
||||
if not exists(TEMPLATES_STORE):
|
||||
print("Policy templates not found! Please install container-selinux package.")
|
||||
exit(1)
|
||||
|
||||
chdir(TEMPLATES_STORE)
|
||||
|
||||
if opts["LoadModules"]:
|
||||
|
|
|
|||
|
|
@ -1,14 +0,0 @@
|
|||
(block container
|
||||
(type process)
|
||||
(type socket)
|
||||
(roletype system_r process)
|
||||
(typeattributeset domain (process ))
|
||||
(typeattributeset container_domain (process ))
|
||||
(typeattributeset svirt_sandbox_domain (process ))
|
||||
(typeattributeset mcs_constrained_type (process ))
|
||||
(typeattributeset file_type (socket ))
|
||||
(allow process socket (sock_file (create open getattr setattr read write rename link unlink ioctl lock append)))
|
||||
(allow process proc_type (file (getattr open read)))
|
||||
(allow process cpu_online_t (file (getattr open read)))
|
||||
(allow container_runtime_t process (key (create link read search setattr view write)))
|
||||
)
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
(block config_container
|
||||
(optional config_container_optional
|
||||
(allow process configfile (dir (ioctl read getattr lock search open)))
|
||||
(allow process configfile (file (ioctl read getattr lock open)))
|
||||
(allow process configfile (lnk_file (read getattr)))
|
||||
)
|
||||
)
|
||||
|
||||
(block config_rw_container
|
||||
(blockinherit config_container)
|
||||
(optional config_rw_container_optional
|
||||
(allow process configfile (dir (ioctl read write getattr lock append open)))
|
||||
(allow process configfile (file (ioctl read write getattr lock append open)))
|
||||
(allow process configfile (lnk_file (ioctl read write getattr lock append open)))
|
||||
)
|
||||
)
|
||||
|
||||
(block config_manage_container
|
||||
(optional config_manage_container_optional
|
||||
(allow process configfile (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open)))
|
||||
(allow process configfile (file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||||
(allow process configfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||||
)
|
||||
)
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
(block home_container
|
||||
(optional home_container_optional
|
||||
(allow process process (capability (dac_override )))
|
||||
|
||||
(allow process user_home_dir_t (dir (getattr search open read lock ioctl)))
|
||||
(allow process home_root_t (dir (getattr search open read lock ioctl)))
|
||||
(allow process user_home_t (dir (getattr search open read lock ioctl)))
|
||||
|
||||
(allow process user_home_dir_t (file (getattr ioctl lock open read)))
|
||||
(allow process user_home_t (file (getattr ioctl lock open read)))
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
(block home_rw_container
|
||||
(blockinherit home_container)
|
||||
(optional home_rw_container_optional
|
||||
(allow process user_home_dir_t (dir (open getattr setattr read write link search add_name remove_name reparent lock ioctl)))
|
||||
(allow process home_root_t (dir (open getattr setattr read write link search add_name remove_name reparent lock ioctl)))
|
||||
(allow process user_home_t (dir (open getattr setattr read write link search add_name remove_name reparent lock ioctl)))
|
||||
|
||||
(allow process user_home_t (file (open getattr read write append ioctl lock)))
|
||||
(allow process user_home_dir_t (file (open getattr read write append ioctl lock)))
|
||||
)
|
||||
)
|
||||
|
||||
(block home_manage_container
|
||||
(blockinherit home_rw_container)
|
||||
(optional home_manage_container_optional
|
||||
(allow process user_home_dir_t (dir (create unlink rename rmdir )))
|
||||
(allow process home_root_t (dir (create unlink rename rmdir )))
|
||||
(allow process user_home_t (dir (create unlink rename rmdir )))
|
||||
|
||||
(allow process user_home_t (file (create rename link unlink )))
|
||||
(allow process user_home_dir_t (file (create rename link unlink )))
|
||||
)
|
||||
)
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
(block log_container
|
||||
(optional log_container_optional
|
||||
(allow process var_t (dir (getattr search open)))
|
||||
(allow process logfile (dir (ioctl read getattr lock search open)))
|
||||
(allow process logfile (file (ioctl read getattr lock open map)))
|
||||
(allow process auditd_log_t (dir (ioctl read getattr lock search open)))
|
||||
(allow process auditd_log_t (file (ioctl read getattr lock open)))
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
(block log_rw_container
|
||||
(blockinherit log_container)
|
||||
|
||||
(optional log_rw_container_optional
|
||||
(allow process logfile (dir (ioctl read write create getattr setattr lock add_name search open)))
|
||||
(allow process logfile (file (ioctl read write create getattr setattr lock append open)))
|
||||
(allow process logfile (lnk_file (ioctl read write getattr lock append open)))
|
||||
(allow process var_t (dir (getattr search open)))
|
||||
(allow process auditd_log_t (dir (ioctl read getattr lock search open)))
|
||||
(allow process auditd_log_t (file (ioctl read getattr lock open)))
|
||||
)
|
||||
)
|
||||
|
||||
(block log_manage_container
|
||||
(blockinherit log_rw_container)
|
||||
|
||||
(optional log_manage_container_optional
|
||||
(allow process logfile (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open)))
|
||||
(allow process logfile (file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||||
(allow process logfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename)))
|
||||
(allow process auditd_log_t (dir (ioctl read write getattr lock search open)))
|
||||
(allow process auditd_log_t (file (ioctl read write getattr lock open)))
|
||||
)
|
||||
)
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
(block net_container
|
||||
(optional net_container_optional
|
||||
(typeattributeset sandbox_net_domain (process))
|
||||
)
|
||||
)
|
||||
|
||||
(block restricted_net_container
|
||||
(optional restricted_net_container_optional
|
||||
(allow process process (tcp_socket (ioctl read getattr lock write setattr append bind connect getopt setopt shutdown create listen accept)))
|
||||
(allow process process (udp_socket (ioctl read getattr lock write setattr append bind connect getopt setopt shutdown create)))
|
||||
(allow process process (sctp_socket (ioctl read getattr lock write setattr append bind connect getopt setopt shutdown create)))
|
||||
|
||||
(allow process proc_t (lnk_file (read)))
|
||||
|
||||
(allow process node_t (node (tcp_recv tcp_send recvfrom sendto)))
|
||||
(allow process node_t (node (udp_recv recvfrom)))
|
||||
(allow process node_t (node (udp_send sendto)))
|
||||
|
||||
(allow process node_t (udp_socket (node_bind)))
|
||||
(allow process node_t (tcp_socket (node_bind)))
|
||||
|
||||
(allow process http_port_t (tcp_socket (name_connect)))
|
||||
(allow process http_port_t (tcp_socket (recv_msg send_msg)))
|
||||
)
|
||||
)
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
(block tmp_container
|
||||
(optional tmp_container_optional
|
||||
(allow process tmpfile (dir (getattr search open)))
|
||||
(allow process tmpfile (file (ioctl read getattr lock open)))
|
||||
)
|
||||
)
|
||||
|
||||
(block tmp_rw_container
|
||||
(blockinherit tmp_container)
|
||||
|
||||
(optional tmp_rw_container_optional
|
||||
(allow process tmpfile (file (ioctl read write getattr lock append open)))
|
||||
(allow process tmpfile (dir (ioctl read write getattr lock append open)))
|
||||
)
|
||||
)
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
(block tty_container
|
||||
(optional tty_container_optional
|
||||
(allow process device_t (dir (getattr search open)))
|
||||
(allow process device_t (dir (ioctl read getattr lock search open)))
|
||||
(allow process device_t (lnk_file (read getattr)))
|
||||
|
||||
(allow process devtty_t (chr_file (ioctl read write getattr lock append open)))
|
||||
)
|
||||
)
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
(block virt_container
|
||||
(optional virt_container_optional
|
||||
(allow process var_t (dir (getattr search open)))
|
||||
(allow process var_t (lnk_file (read getattr)))
|
||||
|
||||
(allow process var_run_t (dir (getattr search open)))
|
||||
(allow process var_run_t (lnk_file (read getattr)))
|
||||
|
||||
(allow process virt_var_run_t (dir (getattr search open)))
|
||||
(allow process virt_var_run_t (sock_file (write getattr append open)))
|
||||
|
||||
(allow process virtd_t (unix_stream_socket (connectto)))
|
||||
)
|
||||
)
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
(block x_container
|
||||
(optional x_container_optional
|
||||
(allow xserver_t process (shm (getattr read write associate unix_read unix_write lock)))
|
||||
|
||||
(allow process xserver_t (unix_stream_socket (connectto)))
|
||||
|
||||
(allow process device_t (dir (getattr search open)))
|
||||
|
||||
(allow process dri_device_t (chr_file (ioctl read write getattr lock append open map)))
|
||||
|
||||
(allow process xserver_misc_device_t (chr_file (ioctl read write getattr lock append open map)))
|
||||
|
||||
(allow process urandom_device_t (chr_file (open read)))
|
||||
|
||||
(allow process tmpfs_t (dir (getattr search open)))
|
||||
|
||||
(allow process tmp_t (dir (getattr search open)))
|
||||
(allow process tmp_t (lnk_file (read getattr)))
|
||||
|
||||
(allow process xserver_tmp_t (dir (getattr search open)))
|
||||
(allow process xserver_tmp_t (sock_file (write getattr append open)))
|
||||
|
||||
(allow process xserver_exec_t (file (ioctl read getattr lock map execute execute_no_trans open)))
|
||||
)
|
||||
)
|
||||
Loading…
Reference in New Issue