fix various SELinux policy issues

packages/selinux-policy/fs.cil

@@ -26,7 +26,7 @@
 (genfscon debugfs / any)
 (genfscon kvmfs / any)
 (genfscon nsfs / any)
-(genfscon proc / any)
+(genfscon proc / proc)
 (genfscon pstore / any)
 (genfscon ramfs / any)
 (genfscon rootfs / any)
@@ -81,7 +81,7 @@
 (filecon "/var/lib/netdog/.*" any lease)
 
 ; Label kernel filesystem mounts.
-(filecon "/proc" any any)
+(filecon "/proc" any proc)
 (filecon "/proc/.*" any ())
 (filecon "/sys" any any)
 (filecon "/sys/.*" any ())
@@ -97,7 +97,8 @@
 (filecon "/run/.*" any ())
 
 ; Label external filesystem mounts.
-(filecon "/mnt" any external)
+(filecon "/mnt" any local)
 (filecon "/mnt/.*" any ())
-(filecon "/media" any external)
+(filecon "/media" any local)
+(filecon "/media/cdrom" any local)
 (filecon "/media/.*" any ())

packages/selinux-policy/object.cil

@@ -39,8 +39,13 @@
 (roletype object_r runtime_exec_t)
 (context runtime_exec (system_u object_r runtime_exec_t s0))
 
+; Files under /proc.
+(type proc_t)
+(roletype object_r proc_t)
+(context proc (system_u object_r proc_t s0))
+
 ; Files where we have no specific policy objectives, such as
-; those on kernel filesystems like /proc and /dev.
+; tmpfs mounts and various kernel filesystems.
 (type any_t)
 (roletype object_r any_t)
 (context any (system_u object_r any_t s0))
@@ -50,16 +55,18 @@
 (roletype object_r etc_t)
 (context etc (system_u object_r etc_t s0))
 
-; Files that have no label, or perhaps an invalid label.
-(type unlabeled_t)
-(roletype object_r unlabeled_t)
-(context unlabeled (system_u object_r unlabeled_t s0))
-
 ; Files created on local storage.
 (type local_t)
 (roletype object_r local_t)
 (context local (system_u object_r local_t s0))
 
+; The "external_t" and "unlabeled_t" types were removed to simplify
+; the policy. Add aliases for backwards compatibility.
+(typealias external_t)
+(typealias unlabeled_t)
+(typealiasactual external_t local_t)
+(typealiasactual unlabeled_t local_t)
+
 ; Alias "container_file_t" to "local_t" for compatibility with
 ; the container-selinux policy.
 (typealias container_file_t)
@@ -105,11 +112,6 @@
 (roletype object_r secret_t)
 (context secret (system_u object_r secret_t s0))
 
-; Files that are mount points for external filesystems.
-(type external_t)
-(roletype object_r external_t)
-(context external (system_u object_r external_t s0))
-
 ; Dynamic objects are files on temporary storage with special rules.
 (typeattribute dynamic_o)
 (typeattributeset dynamic_o (etc_t))
@@ -129,18 +131,16 @@
   os_t init_exec_t api_exec_t clock_exec_t
   network_exec_t bus_exec_t runtime_exec_t))
 
-; Ephemeral objects reside on storage with a different lifecycle
-; from the rest of the OS, such as tmpfs filesystems, EBS volumes,
-; and EFS filesystems.
+; Ephemeral objects reside on tmpfs filesystems.
 (typeattribute ephemeral_o)
-(typeattributeset ephemeral_o (any_t external_t unlabeled_t))
+(typeattributeset ephemeral_o (any_t proc_t))
 
 ; The set of all objects.
 (typeattribute all_o)
 (typeattributeset all_o (
   os_t init_exec_t api_exec_t clock_exec_t
   network_exec_t bus_exec_t runtime_exec_t
-  any_t etc_t unlabeled_t external_t
+  any_t etc_t proc_t
   local_t private_t secret_t cache_t
   lease_t measure_t state_t
   api_socket_t))

packages/selinux-policy/rules.cil

@@ -85,11 +85,6 @@
 ; Allow containers to communicate with runtimes via pipes.
 (allow container_s runtime_t (files (mutate)))
 
-; If a trusted process creates a file or directory when the parent
-; directory has no label, it receives the "local_t" label.
-(typetransition trusted_s unlabeled_t file local_t)
-(typetransition trusted_s unlabeled_t dir local_t)
-
 ; If a runtime process creates a directory for cached container archives
 ; or snapshot layers on local storage, it receives the "cache_t" label.
 ; ... containerd's pristine archives
@@ -200,6 +195,9 @@
 ; be useful for containers, and we don't use it in the host.
 (neverallow all_s global (files (block)))
 
+; All subject labels can be used for files on /proc.
+(allow all_s proc_t (filesystem (associate)))
+
 ; All object labels can be used for files on filesystems that have
 ; the same label, and for files on ephemeral storage.
 (allow all_o self (filesystem (associate)))

packages/selinux-policy/sid.cil

@@ -42,10 +42,10 @@
 (sidcontext security kernel)
 (sidcontext devnull kernel)
 
-; Apply the "unlabeled" context for entities with an invalid context,
-; and for files with no context at all, which are treated the same.
-(sidcontext unlabeled unlabeled)
-(sidcontext file unlabeled)
+; Apply the "local" context for entities with an invalid context, and
+; for files with no context at all, which are treated the same.
+(sidcontext unlabeled local)
+(sidcontext file local)
 
 ; Apply the "any" context for entities like sockets, ports, and
 ; network interfaces if they are otherwise unlabeled.