From 85dfa7e8745bb6df683eb9514b67b8cf5974f8f7 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Mon, 24 Feb 2025 14:51:56 +0100 Subject: [PATCH] add container_ro_file_t to the podman artifact store The artifact store contains many blobs which we like to get mounted into the container. However by default selinux prevents access to these files. Now I could patch podman to change the label directly but it seems like much better to just label the entire artifact store correctly like we do with the image store. Signed-off-by: Paul Holzinger --- container.fc | 2 ++ container.if | 2 ++ 2 files changed, 4 insertions(+) diff --git a/container.fc b/container.fc index bf660de..7b1cf7d 100644 --- a/container.fc +++ b/container.fc @@ -93,6 +93,7 @@ /var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/ramalama(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/artifacts(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) @@ -110,6 +111,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u: /var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/atomic(/.*)? <> /var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) +/var/lib/containers/storage/artifacts(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) diff --git a/container.if b/container.if index 3914e0f..46466ae 100644 --- a/container.if +++ b/container.if @@ -537,6 +537,7 @@ interface(`container_filetrans_named_content',` # workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work) filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "artifacts") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers") @@ -563,6 +564,7 @@ interface(`container_filetrans_named_content',` filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "artifacts") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")