Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change container_image_t to container_file_t #166

Merged
merged 1 commit into from
Oct 11, 2016
Merged

Change container_image_t to container_file_t #166

merged 1 commit into from
Oct 11, 2016

Conversation

rhatdan
Copy link
Contributor

@rhatdan rhatdan commented Oct 7, 2016

Also add container_ro_file_t, for a type that can be shared into a container
as r/o/x permissions, but no write.

@rhatdan
Change container_image_t to container_file_t
b246fc2 
Also add container_ro_file_t, for a type that can be shared into a container
as r/o/x permissions, but no write.
@rhatdan
Copy link
Contributor Author

rhatdan commented Oct 7, 2016

This fixes #165

@rhatdan
Copy link
Contributor Author

rhatdan commented Oct 7, 2016

Also we need container_ro_t to be exposed inside of /etc/selinux/targeted/contexts/lxc_contexts

cat /etc/selinux/targeted/contexts/lxc_contexts 
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

This needs to become

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

Needs to become:

process = "system_u:system_r:container_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:container_file_t:s0"
ro_file="system_u:object_r:container_ro_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:container_t:s0"

@pmorie
Copy link

pmorie commented Oct 7, 2016

I really like the new names, for the record.

@rhatdan
Copy link
Contributor Author

rhatdan commented Oct 7, 2016

Yes, me too, since everytime I explain how this works I use those names and then show people the existing names, and they go BLAH...

@rhatdan
Copy link
Contributor Author

rhatdan commented Oct 11, 2016

@wrabcak PTAL

@wrabcak wrabcak merged commit 68d64f6 into fedora-selinux:rawhide-contrib Oct 11, 2016
@wrabcak
Copy link
Member

wrabcak commented Oct 11, 2016

okay, merged and also updated /etc/selinux/targeted/contexts/lxc_contexts

bachradsusi added a commit to bachradsusi/selinux-policy that referenced this pull request Jun 12, 2018
@bachradsusi
Update lxc_contexts from Fedora config.tgz
67e3593 
fedora-selinux#166
https://src.fedoraproject.org/rpms/selinux-policy/c/025a8d62675fd1efe568c5a7a4c200b98c33d0c0?branch=master
bachradsusi added a commit to bachradsusi/selinux-policy that referenced this pull request Jun 15, 2018
@bachradsusi
Update lxc_contexts from Fedora config.tgz
509bcfb 
fedora-selinux#166
https://src.fedoraproject.org/rpms/selinux-policy/c/025a8d62675fd1efe568c5a7a4c200b98c33d0c0?branch=master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rhatdan @pmorie @wrabcak