The confinedom_user_login_macro is needed for all custom users.
Also, allow the new user type to be accessed via remote login.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Udica can now generate cil policy for a confined user using a list of
macros.
The macros are based on policy templates created by Patrik Končitý:
https://github.com/Koncpa/confined-users-policy
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Display of release number is a burden to update on new CI VM images and
getting it wrong (or forgetting) could be unhelpful to developers.
Since it's mainly cosmetic, and not used by any tests, remove it.
Signed-off-by: Chris Evich <cevich@redhat.com>
Fix issue introduced by
Commit 7c7b9ad505
"Avoid duplicate rules for accessing mounts and devices"
where policy rules for "read-only mounts" are not generated properly.
Adjust Crio basic test to incorporate a read only mount that is not
covered by a special case ("/home" is handled by "home_container" and
anything under "/var/lib/kubelet" is ignored).
Thanks https://github.com/arcardon (jamjcardona@sbcglobal.net) for
spotting this in the code.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Ref: https://github.com/containers/automation_images/pull/246
Also, fully remove any hit that CI will ever work on the prior-supported
Fedora release. Doing so requires some special CNI setup in the podman
repository CI scripts. I attempted to re-use them here (in `build.sh`)
but it was too difficult and likely would be error-prone.
Signed-off-by: Chris Evich <cevich@redhat.com>
Note F35 is disabled due to golang 1.18 requirement in podman. The
PRIOR_FEDORA... runs may be put back in place when F37 is released.
Signed-off-by: Chris Evich <cevich@redhat.com>
Explain the implications of generating policy based on security labels
as opposed to filesystem paths, port numbers, etc.
https://github.com/containers/udica/issues/7
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
When a test job fails, GitHub automatically cancels other similar tests.
This often leads to "Fedora" jobs being canceled because of a trivial
issue on centOS or older Fedora versions.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
quay.io provides centos stream 8 and 9 images as well as working
fedora:latest image.
Fixes:
checks / tests (centos:centos8):
Run rpm -q python3 || dnf install --nogpgcheck -y python3
package python3 is not installed
CentOS Linux 8 - AppStream 195 B/s | 38 B 00:00
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
Error: Process completed with exit code 1.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
list_contexts may return duplicate contexts. This combined with multiple
mounts/devices that may share contexts leads to many duplicate allow
rules.
Example:
tests/test_basic.podman.cil:8-11
tests/test_basic.podman.cil:392-395
duplicate RW mount permissions for var_spool_t
tests/test_basic.podman.cil:28-31
tests/test_basic.podman.cil:264-267
tests/test_basic.podman.cil:304-307
duplicate RW mount permissions for abrt_retrace_spool_t
This patch significantly reduces most test cil policies
e.g. test_basic.podman.cil 396 -> 253 lines
test_basic.docker.cil 394 -> 254 lines
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Auto-detct containerd inspect files
- Use write_policy_for_podman_devices instead of a custom function
- Fix "path" to capabilities
- Fix issues reported by lint and black
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
- Download policy templates from container-selinux github if not present
in the system
- Cirrus only installs container-selinux - this way github PRs are
tested both with latest version of templates and with the released one
- Github workflow now needs git to clone container-selinux repo
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Move udica policy templates to container-selinux package so that
administrators can deploy udica-generated policies on OpenShift nodes
without installing udica everywhere.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>