aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKenton Groombridge <concord@gentoo.org>2024-08-09 15:23:24 -0400
committerJason Zaman <perfinion@gentoo.org>2024-09-21 15:28:29 -0700
commit2e1192a4f76b25a7f91cdda83ffddaea56723119 (patch)
treedb42a8d5f9dc53d229091f5cf3ee37c268fc0842 /policy/modules
parentcontainer: allow spc various rules for kubevirt (diff)
downloadhardened-refpolicy-2e1192a4f76b25a7f91cdda83ffddaea56723119.tar.gz
hardened-refpolicy-2e1192a4f76b25a7f91cdda83ffddaea56723119.tar.bz2
hardened-refpolicy-2e1192a4f76b25a7f91cdda83ffddaea56723119.zip
iptables: allow reading container engine tmp files
When multus creates a new network, iptables rules get written to /tmp and iptables will be called to load them. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules')
-rw-r--r--policy/modules/services/container.if20
-rw-r--r--policy/modules/system/iptables.te5
2 files changed, 23 insertions, 2 deletions
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index c9f4aa93..902c31b8 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -482,6 +482,26 @@ interface(`container_search_engine_tmp',`
########################################
## <summary>
+## Allow the specified domain to read
+## container engine temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_read_engine_tmp_files',`
+ gen_require(`
+ type container_engine_tmp_t;
+ ')
+
+ container_search_engine_tmp($1)
+ allow $1 container_engine_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Allow the specified domain to manage
## container engine temporary files.
## </summary>
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 684d91a2..7c401fa5 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -105,11 +105,12 @@ sysnet_dns_name_resolve(iptables_t)
userdom_use_inherited_user_terminals(iptables_t)
-
-
optional_policy(`
# iptables may try to rw /ptmx in a container
container_dontaudit_rw_chr_files(iptables_t)
+
+ # iptables reads firewall rules written to tmp
+ container_read_engine_tmp_files(iptables_t)
')
optional_policy(`