5 Commits

Author	SHA1	Message	Date
Vit Mojzis	6a7382bead	Fix generating policy for Crio mounts ... Fix issue introduced by Commit 7c7b9ad505 "Avoid duplicate rules for accessing mounts and devices" where policy rules for "read-only mounts" are not generated properly. Adjust Crio basic test to incorporate a read only mount that is not covered by a special case ("/home" is handled by "home_container" and anything under "/var/lib/kubelet" is ignored). Thanks https://github.com/arcardon (jamjcardona@sbcglobal.net) for spotting this in the code. Signed-off-by: Vit Mojzis <vmojzis@redhat.com>	2023-04-20 13:17:24 +02:00
Lukas Vrabec	31bccb3100	Support '--device /dev/XXX' podman parameter ... Commit adds functionality to generate allow rules when --device switch is used for podman e.g: podman run --device /dev/tty0 fedora /bin/bash The output policy should looks like: (block devtest (blockinherit container) (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot ))) (allow process tty_device_t ( blk_file ( getattr read write append ioctl lock open ))) (allow process tty_device_t ( chr_file ( getattr read write append ioctl lock open ))) ) The feature is applicable for podman and docker engines, CRI-O uses bind-mount solution.	2020-11-25 17:54:14 +01:00
Lukas Vrabec	cdf857ab6b	Make udica code compliant to the PEP-8 style. ... Fix formatting on all python source code files to follow PEP-8 code style. https://www.python.org/dev/peps/pep-0008/	2019-10-16 12:28:12 +02:00
Lukas Vrabec	3bd08aef66	Test for "Get SELinux context of mountpoint from xattr"	2019-06-15 22:35:09 +02:00
Jan Zarsky	840c63122a	Create mock selinux and semanage module ... Previously, the tests needed to be run on SELinux enabled system as root. Mock selinux and semanage modules so that the tests can be run anywhere and without root permissions.	2019-03-12 10:24:37 +01:00