From f9763185014138f4b897fa56b302946ffda074b4 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 16 Apr 2021 17:35:31 +0000 Subject: [PATCH] selinux-policy: restrict bootstrap container user data This is a follow-up to ea35f1bb, which added similar restrictions for host container user data. Signed-off-by: Ben Cressey --- packages/os/bootstrap-containers-tmpfiles.conf | 2 +- packages/selinux-policy/fs.cil | 2 ++ packages/selinux-policy/rules.cil | 5 +++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/packages/os/bootstrap-containers-tmpfiles.conf b/packages/os/bootstrap-containers-tmpfiles.conf index 577d6fe8941..7a7aa9b3a82 100644 --- a/packages/os/bootstrap-containers-tmpfiles.conf +++ b/packages/os/bootstrap-containers-tmpfiles.conf @@ -1,3 +1,3 @@ d /etc/bootstrap-containers 0750 root root - d /local/bootstrap-containers 0700 root root - -T /local/bootstrap-containers - - - - security.selinux=system_u:object_r:state_t:s0 +T /local/bootstrap-containers - - - - security.selinux=system_u:object_r:secret_t:s0 diff --git a/packages/selinux-policy/fs.cil b/packages/selinux-policy/fs.cil index eb21896a194..56618095dcf 100644 --- a/packages/selinux-policy/fs.cil +++ b/packages/selinux-policy/fs.cil @@ -64,6 +64,8 @@ ; Label local state directories. (filecon "/local/host-containers" any secret) (filecon "/local/host-containers/.*" any secret) +(filecon "/local/bootstrap-containers" any secret) +(filecon "/local/bootstrap-containers/.*" any secret) (filecon "/var/lib/chrony" any measure) (filecon "/var/lib/chrony/.*" any measure) (filecon "/var/lib/systemd" any state) diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil index 30f0077d5a8..4b2dc00de84 100644 --- a/packages/selinux-policy/rules.cil +++ b/packages/selinux-policy/rules.cil @@ -101,9 +101,10 @@ ; ... docker's image layers (typetransition runtime_t local_t dir "overlay2" cache_t) -; If a system process creates a directory for host container state, it -; receives the "secret_t" label. +; If a system process creates a directory for host or bootstrap container +; state, it receives the "secret_t" label. (typetransition system_t local_t dir "host-containers" secret_t) +(typetransition system_t local_t dir "bootstrap-containers" secret_t) ; The socket for the API server gets the "api_socket_t" label. (typetransition api_t any_t sock_file "api.sock" api_socket_t)