-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathqm.if
667 lines (578 loc) · 26.5 KB
/
qm.if
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
## <summary></summary>
########################################
## <summary>
## Creates types and rules for a basic
## container runtime process domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`qm_domain_template',`
gen_require(`
class dbus { send_msg acquire_svc };
class passwd rootok;
attribute container_domain;
attribute filesystem_type;
attribute container_init_domain;
attribute container_net_domain;
attribute container_user_domain;
attribute unconfined_domain_type;
type ipc_t;
type ipc_var_run_t;
type cgroup_t;
type container_runtime_t;
type devpts_t;
type fusefs_t;
type hugetlbfs_t;
type init_t;
type iptables_t;
type mtrr_device_t;
type proc_kcore_t;
type proc_kmsg_t;
type proc_t;
type sysctl_irq_t;
type sysctl_t;
type system_dbusd_t;
type systemd_hostnamed_t;
type systemd_logind_t;
type systemd_machined_t;
type unconfined_service_t;
type bpf_t;
type container_devpts_t;
type net_conf_t;
type getty_t;
')
type $1_t;
domain_type($1_t)
role system_r types $1_t;
unconfined_stub_role()
role unconfined_r types $1_t;
init_initrc_domain($1_t)
container_use_ptys($1_t)
container_read_share_files($1_t)
container_exec_share_files($1_t)
allow $1_t container_ro_file_t:file execmod;
allow $1_container_domain $1_file_type:chr_file { rw_inherited_file_perms };
attribute $1_file_type;
allow $1_file_type self:filesystem associate;
type $1_file_t, $1_file_type;
files_type($1_file_t)
files_mountpoint($1_file_t)
allow $1_file_t devpts_t:filesystem associate;
type $1_container_var_lib_t, $1_file_type;
files_mountpoint($1_container_var_lib_t)
type $1_container_ro_file_t, $1_file_type;
files_type($1_container_ro_file_t)
files_mountpoint($1_container_ro_file_t)
allow $1_t $1_file_type:file { execmod relabelfrom relabelto map entrypoint mounton };
allow $1_t $1_file_type:dir_file_class_set { relabelfrom relabelto };
manage_files_pattern($1_t, $1_file_type, $1_file_type)
can_exec($1_t, $1_file_type)
allow $1_t $1_file_type:chr_file mounton;
allow $1_t $1_file_type:sock_file mounton;
list_dirs_pattern($1_t, ipc_var_run_t, ipc_var_run_t)
allow $1_t ipc_var_run_t:dir mounton;
manage_blk_files_pattern($1_t, $1_file_type, $1_file_type)
manage_chr_files_pattern($1_t, $1_file_type, $1_file_type)
manage_dirs_pattern($1_t, $1_file_type, $1_file_type)
manage_fifo_files_pattern($1_t, $1_file_type, $1_file_type)
manage_lnk_files_pattern($1_t, $1_file_type, $1_file_type)
manage_sock_files_pattern($1_t, $1_file_type, $1_file_type)
fs_tmpfs_filetrans($1_t, $1_file_t, { dir file lnk_file })
allow $1_t $1_file_type:chr_file { watch watch_reads };
allow $1_t $1_file_type:dir { mounton relabelfrom relabelto };
allow $1_t $1_file_type:filesystem all_filesystem_perms;
allow $1_t $1_file_type:service all_service_perms;
container_read_share_files($1_container_domain)
container_exec_share_files($1_container_domain)
allow $1_container_domain container_ro_file_t:file execmod;
allow init_t $1_file_type:file read_file_perms;
manage_blk_files_pattern(init_t, $1_file_type, $1_file_type)
manage_chr_files_pattern(init_t, $1_file_type, $1_file_type)
manage_dirs_pattern(init_t, $1_file_type, $1_file_type)
manage_fifo_files_pattern(init_t, $1_file_type, $1_file_type)
manage_lnk_files_pattern(init_t, $1_file_type, $1_file_type)
manage_sock_files_pattern(init_t, $1_file_type, $1_file_type)
filetrans_pattern($1_t, $1_file_t, $1_container_var_lib_t, dir, "containers")
filetrans_pattern($1_t, $1_container_var_lib_t, $1_container_ro_file_t, dir, "overlay")
filetrans_pattern($1_t, $1_container_var_lib_t, $1_container_ro_file_t, dir, "overlay-images")
filetrans_pattern($1_t, $1_container_var_lib_t, $1_container_ro_file_t, dir, "overlay-layers")
filetrans_pattern($1_t, $1_container_var_lib_t, $1_container_ro_file_t, dir, "overlay2")
filetrans_pattern($1_t, $1_container_var_lib_t, $1_container_ro_file_t, dir, "overlay2-imagess")
filetrans_pattern($1_t, $1_container_var_lib_t, $1_container_ro_file_t, dir, "overlay2-layers")
allow $1_container_domain $1_container_ro_file_t:file execmod;
ps_process_pattern(systemd_machined_t, $1_t)
read_files_pattern(systemd_machined_t, $1_file_type, $1_file_type)
list_dirs_pattern(systemd_machined_t, $1_file_type, $1_file_type)
read_lnk_files_pattern(systemd_machined_t, $1_file_type, $1_file_type)
rw_sock_files_pattern(systemd_machined_t, $1_file_type, $1_file_type)
manage_chr_files_pattern(systemd_machined_t, $1_file_type, $1_file_type)
allow systemd_machined_t $1_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow system_dbusd_t $1_file_type:chr_file rw_chr_file_perms;
allow systemd_machined_t unconfined_service_t:dir search_dir_perms;
systemd_dbus_chat_machined($1_t)
allow systemd_machined_t self:cap_userns kill;
ps_process_pattern(systemd_logind_t, $1_t)
manage_files_pattern(systemd_logind_t, $1_file_type, $1_file_type)
manage_dirs_pattern(systemd_logind_t, $1_file_type, $1_file_type)
manage_lnk_files_pattern(systemd_logind_t, $1_file_type, $1_file_type)
rw_sock_files_pattern(systemd_logind_t, $1_file_type, $1_file_type)
manage_chr_files_pattern(systemd_logind_t, $1_file_type, $1_file_type)
allow systemd_logind_t $1_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow system_dbusd_t $1_file_type:chr_file rw_chr_file_perms;
allow $1_t self:system all_system_perms;
allow $1_t self:user_namespace all_user_namespace_perms;
allow $1_t self:bpf { map_create map_read map_write prog_load prog_run };
allow $1_t self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid kill net_bind_service net_admin net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace sys_resource };
allow $1_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill net_bind_service net_admin net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource sys_tty_config };
allow $1_t self:capability2 { audit_read bpf perfmon};
allow $1_t self:packet_socket create_socket_perms;
allow $1_t self:icmp_socket create_stream_socket_perms;
allow $1_t self:key { setattr write };
allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow $1_t self:dbus all_dbus_perms;
allow $1_t self:netlink_generic_socket create_socket_perms;
allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
allow $1_t self:netlink_netfilter_socket create_socket_perms;
allow $1_t self:netlink_route_socket create_netlink_socket_perms;
allow $1_t self:netlink_selinux_socket create_socket_perms;
allow $1_t self:netlink_socket create_socket_perms;
allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow $1_t self:process { getattr getcap getpgid getrlimit getsched setcap setexec setkeycreate setpgid setfscreate setrlimit setsockcreate setsched signal_perms };
allow $1_t self:rawip_socket create_stream_socket_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
allow $1_t self:unix_dgram_socket { sendto create_socket_perms };
allow $1_t self:unix_stream_socket { connectto rw_stream_socket_perms };
dontaudit $1_t net_conf_t:file manage_file_perms;
init_access_check($1_t)
miscfiles_watch_localization_files($1_t)
seutil_search_default_contexts($1_t)
allow $1_t bpf_t:dir mounton;
allow $1_t cgroup_t:filesystem { getattr remount};
allow $1_t cgroup_t:{dir file } mounton;
allow $1_t container_devpts_t:chr_file { watch watch_reads };
allow $1_t container_runtime_t:fifo_file rw_fifo_file_perms;
allow $1_t devpts_t:filesystem relabelfrom;
allow $1_t hugetlbfs_t:dir relabelfrom;
allow $1_t mtrr_device_t:file { getattr mounton };
allow $1_t proc_kcore_t:file { getattr mounton };
allow $1_t proc_kmsg_t:file { getattr mounton };
allow $1_t proc_t:file mounton;
allow $1_t security_t:dir read;
allow $1_t sysctl_irq_t:dir { getattr mounton };
allow $1_t sysctl_t:file { getattr mounton };
corecmd_entrypoint_all_executables($1_t)
corecmd_exec_bin($1_t)
corecmd_exec_shell($1_t)
corenet_icmp_bind_generic_node($1_t)
corenet_raw_bind_generic_node($1_t)
corenet_rw_tun_tap_dev($1_t)
corenet_sctp_bind_all_ports($1_t)
corenet_sctp_connect_all_ports($1_t)
corenet_tcp_bind_all_ports($1_t)
corenet_tcp_bind_generic_node($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_bind_all_ports($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_udp_sendrecv_all_ports($1_t)
dev_dontaudit_mounton_sysfs($1_container_domain)
dev_getattr_mtrr_dev($1_container_domain)
dev_list_sysfs($1_container_domain)
dev_list_sysfs($1_t)
dev_mounton_sysfs($1_t)
dev_mounton_sysfs($1_t)
dev_read_rand($1_t)
dev_read_sysfs($1_t)
dev_read_urand($1_t)
dev_remount_sysfs_fs($1_t)
dev_write_sysfs_dirs($1_t)
files_getattr_all_blk_files($1_t)
files_getattr_all_chr_files($1_t)
files_getattr_all_dirs($1_t)
files_getattr_all_file_type_fs($1_t)
files_getattr_all_files($1_t)
files_getattr_all_pipes($1_t)
files_getattr_all_sockets($1_t)
files_list_all($1_t)
files_mounton_kernel_symbol_table($1_t)
fs_all_mount_fs_perms_tmpfs($1_t)
fs_all_mount_fs_perms_xattr_fs($1_t)
fs_associate_cgroupfs($1_file_t)
fs_getattr_all_fs($1_t)
fs_list_all($1_t)
fs_manage_cgroup_dirs($1_t)
fs_manage_cgroup_files($1_t)
fs_read_nsfs_files($1_t)
fs_relabelfrom_tmpfs($1_t)
fs_relabelfrom_xattr_fs($1_t)
fs_search_tracefs_dirs($1_t)
fs_set_xattr_fs_quotas($1_t)
allow $1_t nsfs_t:filesystem { getattr unmount };
domain_obj_id_change_exemption($1_t)
kernel_dgram_send($1_t)
kernel_dontaudit_search_security_state($1_t)
kernel_list_all_proc($1_t)
kernel_mounton_core_if($1_t)
kernel_mounton_kernel_sysctl($1_t)
kernel_mounton_kernel_sysctl($1_t)
kernel_mounton_messages($1_t)
kernel_mounton_proc($1_t)
kernel_mounton_proc($1_t)
kernel_mounton_systemd_ProtectKernelTunables($1_t)
kernel_mounton_systemd_ProtectKernelTunables($1_t)
kernel_read_all_sysctls($1_t)
kernel_read_fs_sysctls($1_t)
kernel_read_net_sysctls($1_t)
kernel_read_network_state($1_t)
kernel_read_network_state_symlinks($1_t)
kernel_read_proc_files($1_t)
kernel_read_security_state($1_t)
kernel_read_unix_sysctls($1_t)
kernel_request_load_module($1_t)
kernel_rw_fs_sysctls($1_t)
kernel_rw_kernel_sysctl($1_t)
kernel_rw_net_sysctls($1_t)
kernel_rw_security_state($1_t)
kernel_rw_unix_sysctls($1_t)
kernel_rw_vm_sysctls($1_t)
kernel_rw_usermodehelper_state($1_t)
kernel_rw_vm_sysctls($1_t)
kernel_search_debugfs($1_t)
dontaudit $1_t proc_security_t:file write;
allow $1_t filesystem_type:filesystem { mount remount unmount };
unconfined_dgram_send($1_t)
selinux_compute_access_vector($1_t)
selinux_compute_create_context($1_t)
selinux_dontaudit_get_fs_mount($1_t)
selinux_dontaudit_search_fs($1_t)
selinux_get_enforce_mode($1_t)
selinux_mounton_fs($1_t)
selinux_setcheckreqprot($1_t)
selinux_validate_context($1_t)
dontaudit $1_t security_t:file write;
dontaudit $1_t security_t:security read_policy;
sysnet_read_config($1_t)
sysnet_write_config($1_t)
term_search_ptys($1_t)
term_use_generic_ptys($1_t)
term_setattr_generic_ptys($1_t)
userdom_use_inherited_user_ptys($1_t)
allow container_runtime_t $1_t:process { dyntransition transition };
allow $1_t container_runtime_t:process sigchld;
allow container_runtime_t $1_t:process2 { nnp_transition nosuid_transition };
dontaudit container_runtime_t $1_t:process { noatsecure rlimitinh siginh };
manage_dirs_pattern(container_runtime_t, $1_file_type, $1_file_type)
manage_files_pattern(container_runtime_t, $1_file_type, $1_file_type)
manage_lnk_files_pattern(container_runtime_t, $1_file_type, $1_file_type)
read_files_pattern(iptables_t, $1_file_type, $1_file_type)
# ===================================================================
# QM Containers
#
attribute $1_container_domain;
allow $1_container_domain $1_t:fifo_file rw_inherited_fifo_file_perms;
allow $1_t $1_container_domain:process all_process_perms;
allow $1_t $1_container_domain:key manage_key_perms;
read_files_pattern($1_t, $1_container_domain,$1_container_domain)
read_lnk_files_pattern($1_t, $1_container_domain,$1_container_domain)
type $1_container_t, $1_container_domain;
domain_type($1_container_t)
domain_user_exemption_target($1_container_t)
container_manage_files_template($1_container, $1_container)
type $1_container_ipc_t, $1_container_domain;
domain_type($1_container_ipc_t)
domain_user_exemption_target($1_container_ipc_t)
container_manage_files_template($1_container_ipc, $1_container)
container_ipc_stream_connect($1_container_ipc_t)
container_stream_connect($1_container_ipc_t)
type $1_container_file_t, $1_file_type;
files_type($1_container_file_t)
files_mountpoint($1_container_file_t)
fs_associate($1_container_file_t)
allow $1_container_domain $1_file_type:file { execmod relabelfrom relabelto map entrypoint mounton};
allow $1_container_domain $1_file_type:dir search_dir_perms;
exec_files_pattern($1_container_domain, $1_file_type, $1_file_type)
list_dirs_pattern($1_container_domain, $1_file_type, $1_file_type)
read_files_pattern($1_container_domain, $1_file_type, $1_file_type)
qm_container_template($1, kvm)
type $1_container_kvm_var_run_t;
files_pid_file($1_container_kvm_var_run_t)
filetrans_pattern($1_container_kvm_t, container_var_run_t, $1_container_kvm_var_run_t, {file sock_file dir})
filetrans_pattern($1_t, container_var_run_t, $1_container_kvm_var_run_t, dir, "kata-containers")
manage_dirs_pattern($1_container_kvm_t, $1_container_kvm_var_run_t, $1_container_kvm_var_run_t)
manage_files_pattern($1_container_kvm_t, $1_container_kvm_var_run_t, $1_container_kvm_var_run_t)
manage_fifo_files_pattern($1_container_kvm_t, $1_container_kvm_var_run_t, $1_container_kvm_var_run_t)
manage_sock_files_pattern($1_container_kvm_t, $1_container_kvm_var_run_t, $1_container_kvm_var_run_t)
manage_lnk_files_pattern($1_container_kvm_t, $1_container_kvm_var_run_t, $1_container_kvm_var_run_t)
files_pid_filetrans($1_container_kvm_t, $1_container_kvm_var_run_t, { dir file lnk_file sock_file })
files_pid_filetrans($1_container_kvm_t, $1_container_kvm_var_run_t, { dir file lnk_file sock_file })
allow $1_container_kvm_t $1_container_kvm_var_run_t:{file dir} mounton;
manage_files_pattern($1_container_kvm_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_container_kvm_t, $1_file_t, $1_file_t)
allow $1_container_kvm_t $1_container_wayland_t:unix_stream_socket rw_stream_socket_perms;
allow $1_container_kvm_t $1_t:unix_stream_socket { connectto rw_stream_socket_perms };
container_stream_connect($1_container_kvm_t)
allow $1_container_kvm_t $1_t:tun_socket attach_queue;
dev_read_sysfs($1_container_kvm_t)
dev_rw_inherited_vhost($1_container_kvm_t)
dev_rw_vfio_dev($1_container_kvm_t)
corenet_rw_inherited_tun_tap_dev($1_container_kvm_t)
corecmd_exec_shell($1_container_kvm_t)
corecmd_exec_bin($1_container_kvm_t)
corecmd_bin_entry_type($1_container_kvm_t)
# virtiofs causes these AVC messages.
kernel_mount_proc($1_container_kvm_t)
kernel_mounton_proc($1_container_kvm_t)
kernel_unmount_proc($1_container_kvm_t)
kernel_dgram_send($1_container_kvm_t)
files_mounton_rootfs($1_container_kvm_t)
auth_read_passwd($1_container_kvm_t)
logging_send_syslog_msg($1_container_kvm_t)
optional_policy(`
qemu_entry_type($1_container_kvm_t)
qemu_exec($1_container_kvm_t)
')
manage_sock_files_pattern($1_container_kvm_t, $1_container_file_t, $1_container_file_t)
dev_rw_kvm($1_container_kvm_t)
sssd_read_public_files($1_container_kvm_t)
qm_container_template($1, init)
logging_send_syslog_msg($1_container_init_t)
qm_container_template($1, wayland)
allow $1_container_wayland_t $1_file_t:chr_file map;
manage_dirs_pattern($1_container_wayland_t, $1_file_t, $1_file_t)
manage_files_pattern($1_container_wayland_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_container_wayland_t, $1_file_t, $1_file_t)
allow $1_container_wayland_t $1_t:unix_stream_socket connectto;
allow $1_container_wayland_t $1_t:dbus send_msg;
allow $1_t $1_container_wayland_t:dbus send_msg;
dev_read_sysfs($1_container_wayland_t)
allow getty_t $1_file_type:chr_file rw_chr_file_perms;
read_files_pattern(systemd_hostnamed_t, $1_file_t, $1_file_t)
systemd_dbus_chat_hostnamed(systemd_hostnamed_t)
read_files_pattern($1_container_domain, $1_container_ro_file_t,$1_container_ro_file_t)
read_lnk_files_pattern($1_container_domain, $1_container_ro_file_t,$1_container_ro_file_t)
list_dirs_pattern($1_container_domain, $1_container_ro_file_t,$1_container_ro_file_t)
#
# Rules for container domains in the qm
#
allow $1_container_domain self:association sendto;
allow $1_container_domain self:cap2_userns ~{ mac_override mac_admin };
allow $1_container_domain self:cap_userns { sys_admin chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
allow $1_container_domain self:capability mknod;
allow $1_container_domain self:capability ~{ sys_module };
allow $1_container_domain self:capability2 ~{ mac_override mac_admin };
allow $1_container_domain self:dir list_dir_perms;
allow $1_container_domain self:fifo_file create_fifo_file_perms;
allow $1_container_domain self:fifo_file manage_file_perms;
allow $1_container_domain self:file rw_file_perms;
allow $1_container_domain self:filesystem associate;
allow $1_container_domain self:key manage_key_perms;
allow $1_container_domain self:lnk_file read_file_perms;
allow $1_container_domain self:lnk_file setattr;
allow $1_container_domain self:msg all_msg_perms;
allow $1_container_domain self:msgq create_msgq_perms;
allow $1_container_domain self:netlink_kobject_uevent_socket create_socket_perms;
allow $1_container_domain self:netlink_route_socket r_netlink_socket_perms;
allow $1_container_domain self:netlink_socket create_socket_perms;
allow $1_container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow $1_container_domain self:netlink_xfrm_socket create_socket_perms;
allow $1_container_domain self:packet_socket create_socket_perms;
allow $1_container_domain self:passwd rootok;
allow $1_container_domain self:peer recv;
allow $1_container_domain self:process all_process_perms;
allow $1_container_domain self:sem create_sem_perms;
allow $1_container_domain self:shm create_shm_perms;
allow $1_container_domain self:socket_class_set { create_socket_perms map accept };
allow $1_container_domain self:tcp_socket create_stream_socket_perms;
allow $1_container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue };
allow $1_container_domain self:udp_socket create_socket_perms;
allow $1_container_domain self:unix_dgram_socket { sendto create_socket_perms };
allow $1_container_domain self:unix_stream_socket { create_stream_socket_perms sendto connectto };
allow $1_container_domain self:user_namespace create;
allow $1_t $1_container_domain:fd use;
allow $1_t $1_container_domain:fifo_file rw_fifo_file_perms;
allow $1_t $1_container_domain:file relabelfrom;
allow $1_t $1_container_domain:key manage_key_perms;
allow $1_t $1_container_domain:process { dyntransition transition };
allow $1_t $1_container_domain:process2 { nnp_transition nosuid_transition };
allow $1_t $1_container_domain:tun_socket relabelfrom;
allow $1_container_domain $1_t:unix_dgram_socket sendto;
allow $1_container_domain container_runtime_t:unix_dgram_socket sendto;
allow $1_container_domain container_runtime_tmpfs_t:dir mounton;
allow $1_container_domain fusefs_t:file { mounton execmod };
allow $1_container_domain fusefs_t:filesystem remount;
allow $1_container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };
allow $1_container_domain $1_container_ro_file_t:file execmod;
allow $1_container_domain $1_t:fd use;
allow $1_container_domain $1_t:fifo_file { rw_fifo_file_perms map };
allow $1_container_domain $1_t:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
allow $1_container_domain $1_t:tun_socket relabelfrom;
allow unconfined_domain_type $1_container_domain:process {transition dyntransition };
allow unconfined_domain_type $1_container_domain:process2 { nnp_transition nosuid_transition };
allow unconfined_service_t $1_container_domain:process dyntransition;
dev_getattr_all($1_container_domain)
dev_list_sysfs($1_container_domain)
dev_dontaudit_mounton_sysfs($1_container_domain)
domain_dontaudit_link_all_domains_keyrings($1_container_domain)
domain_dontaudit_search_all_domains_keyrings($1_container_domain)
domain_dontaudit_search_all_domains_state($1_container_domain)
dontaudit $1_container_domain container_runtime_tmpfs_t:dir read;
dontaudit $1_container_domain $1_t:chr_file getattr;
dontaudit $1_container_domain $1_container_domain:key search;
dontaudit $1_container_domain self:capability fsetid;
dontaudit $1_container_domain self:capability2 block_suspend ;
dontaudit $1_container_domain self:dir { write add_name };
dontaudit $1_container_domain sysctl_type:file write;
dontaudit $1_container_domain usermodehelper_t:file write;
dontaudit $1_t $1_container_domain:process { noatsecure rlimitinh siginh };
corenet_icmp_bind_generic_node($1_container_domain)
corenet_raw_bind_generic_node($1_container_domain)
corenet_rw_tun_tap_dev($1_container_domain)
corenet_sctp_bind_all_ports($1_container_domain)
corenet_sctp_connect_all_ports($1_container_domain)
corenet_tcp_bind_all_ports($1_container_domain)
corenet_tcp_bind_generic_node($1_container_domain)
corenet_tcp_connect_all_ports($1_container_domain)
corenet_tcp_sendrecv_all_ports($1_container_domain)
corenet_udp_bind_all_ports($1_container_domain)
corenet_udp_bind_generic_node($1_container_domain)
corenet_udp_sendrecv_all_ports($1_container_domain)
files_read_kernel_modules($1_container_domain)
fs_dontaudit_getattr_all_dirs($1_container_domain)
fs_dontaudit_getattr_all_files($1_container_domain)
fs_dontaudit_remount_tmpfs($1_container_domain)
fs_exec_fusefs_files($1_container_domain)
fs_exec_hugetlbfs_files($1_container_domain)
fs_fusefs_entrypoint($1_container_domain)
fs_getattr_all_fs($1_container_domain)
fs_list_cgroup_dirs($1_container_domain)
fs_list_hugetlbfs($1_container_domain)
fs_manage_fusefs_dirs($1_container_domain)
fs_manage_fusefs_files($1_container_domain)
fs_manage_fusefs_named_pipes($1_container_domain)
fs_manage_fusefs_named_sockets($1_container_domain)
fs_manage_fusefs_symlinks($1_container_domain)
fs_manage_hugetlbfs_files($1_container_domain)
fs_mount_fusefs($1_container_domain)
fs_mount_tmpfs($1_container_domain)
fs_mount_xattr_fs($1_container_domain)
fs_mounton_fusefs($1_container_domain)
fs_read_cgroup_files($1_container_domain)
fs_read_nsfs_files($1_container_domain)
fs_read_tmpfs_symlinks($1_container_domain)
fs_remount_xattr_fs($1_container_domain)
fs_rw_inherited_tmpfs_files($1_container_domain)
fs_rw_onload_sockets($1_container_domain)
fs_search_tmpfs($1_container_domain)
fs_unmount_fusefs($1_container_domain)
fs_unmount_xattr_fs($1_container_domain)
kernel_dontaudit_access_check_proc($1_container_domain)
kernel_dontaudit_search_kernel_sysctl($1_container_domain)
kernel_dontaudit_setattr_proc_dirs($1_container_domain)
kernel_dontaudit_setattr_proc_files($1_container_domain)
kernel_dontaudit_write_kernel_sysctl($1_container_domain)
kernel_dontaudit_write_proc_files($1_container_domain)
kernel_dontaudit_write_usermodehelper_state($1_container_domain)
kernel_get_sysvipc_info($1_container_domain)
kernel_getattr_proc($1_container_domain)
kernel_list_all_proc($1_container_domain)
kernel_read_all_sysctls($1_container_domain)
kernel_read_irq_sysctls($1_container_domain)
kernel_read_network_state($1_container_domain)
kernel_read_network_state($1_container_domain)
kernel_rw_net_sysctls($1_container_domain)
kernel_rw_net_sysctls($1_container_domain)
kernel_rw_rpc_sysctls($1_container_domain)
kernel_rw_unix_sysctls($1_container_domain)
kernel_search_network_sysctl($1_container_domain)
logging_dontaudit_send_audit_msgs($1_container_domain)
storage_rw_fuse($1_container_domain)
sysnet_read_config($1_container_domain)
term_use_all_inherited_terms($1_container_domain)
userdom_rw_inherited_user_pipes($1_container_domain)
userdom_use_user_ptys($1_container_domain)
optional_policy(`
vsomeip_use($1_t)
vsomeip_use($1_container_domain)
')
')
########################################
## <summary>
## Creates types and rules for a basic
## container runtime process domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
interface(`vsomeip_use',`
gen_require(`
type vsomeip_t;
type vsomeip_var_run_t;
type router_vsomeip_var_run_t;
')
# create and use vsomeip sockets:
allow $1 vsomeip_var_run_t:dir { add_name remove_name write };
allow $1 vsomeip_var_run_t:sock_file { create setattr write unlink };
# Talk to routing manager (and back)
allow $1 vsomeip_t:unix_stream_socket connectto;
allow vsomeip_t $1:unix_stream_socket connectto;
allow $1 router_vsomeip_var_run_t:sock_file write;
')
########################################
## <summary>
## Creates types and rules for QM a
## container runtime process domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
## <param name="type">
## <summary>
## type of process domain.
## </summary>
## </param>
#
interface(`qm_container_template',`
# Container $2 - Policy for running systemd based containers
type $1_container_$2_t, $1_container_domain;
domain_type($1_container_$2_t)
domain_user_exemption_target($1_container_$2_t)
typeattribute $1_container_$2_t container_net_domain, container_user_domain;
corenet_unconfined($1_container_$2_t)
allow $1_container_$2_t proc_t:filesystem remount;
optional_policy(`
virt_default_capabilities($1_container_$2_t)
')
allow $1_container_$2_t self:netlink_audit_socket nlmsg_relay;
container_manage_files_template($1_container_$2, $1_container)
read_files_pattern($1_container_$2_t, $1_container_ro_file_t, $1_container_ro_file_t)
read_lnk_files_pattern($1_container_$2_t, $1_container_ro_file_t, $1_container_ro_file_t)
list_dirs_pattern($1_container_$2_t, $1_container_ro_file_t, $1_container_ro_file_t)
')
########################################
## <summary>
## Connect to IPC containers over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_ipc_stream_connect',`
gen_require(`
type ipc_t, ipc_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, ipc_var_run_t, ipc_var_run_t, ipc_t)
rw_sock_files_pattern($1, ipc_var_run_t, ipc_var_run_t)
')