mirror of
https://github.com/containers/udica
synced 2024-09-28 11:00:10 +02:00
Improve permission set for log_container template
For the log_rw_container it wasn't possible to create new files, which is something that's normally required. So we're adding this capability, while still not allowing that container to rename that directory or remove files from it as a security measure. The audit_log_t file was also modified to be more restrictive for the log_rw_container block, so we only allow reads now. However, the write capability was left for the log_manage_container block.
This commit is contained in:
parent
aa30540f51
commit
db10deb2c3
@ -12,12 +12,12 @@
|
||||
(block log_rw_container
|
||||
(blockinherit log_container)
|
||||
|
||||
(allow process logfile (dir (getattr search open)))
|
||||
(allow process logfile (file (ioctl read write getattr lock append open)))
|
||||
(allow process logfile (dir (ioctl read write create getattr setattr lock add_name search open)))
|
||||
(allow process logfile (file (ioctl read write create getattr setattr lock append open)))
|
||||
(allow process logfile (lnk_file (ioctl read write getattr lock append open)))
|
||||
(allow process var_t (dir (getattr search open)))
|
||||
(allow process auditd_log_t (dir (ioctl read write getattr lock search open)))
|
||||
(allow process auditd_log_t (file (ioctl read write getattr lock open)))
|
||||
(allow process auditd_log_t (dir (ioctl read getattr lock search open)))
|
||||
(allow process auditd_log_t (file (ioctl read getattr lock open)))
|
||||
)
|
||||
|
||||
(block log_manage_container
|
||||
@ -26,5 +26,6 @@
|
||||
(allow process logfile (dir (ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open)))
|
||||
(allow process logfile (file (ioctl read write create getattr setattr lock append unlink link rename open)))
|
||||
(allow process logfile (lnk_file (ioctl read write create getattr setattr lock append unlink link rename)))
|
||||
|
||||
(allow process auditd_log_t (dir (ioctl read write getattr lock search open)))
|
||||
(allow process auditd_log_t (file (ioctl read write getattr lock open)))
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user