diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-08-09 15:23:24 -0400 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2024-09-21 15:28:29 -0700 |
commit | 2e1192a4f76b25a7f91cdda83ffddaea56723119 (patch) | |
tree | db42a8d5f9dc53d229091f5cf3ee37c268fc0842 /policy/modules | |
parent | container: allow spc various rules for kubevirt (diff) | |
download | hardened-refpolicy-2e1192a4f76b25a7f91cdda83ffddaea56723119.tar.gz hardened-refpolicy-2e1192a4f76b25a7f91cdda83ffddaea56723119.tar.bz2 hardened-refpolicy-2e1192a4f76b25a7f91cdda83ffddaea56723119.zip |
iptables: allow reading container engine tmp files
When multus creates a new network, iptables rules get written to /tmp
and iptables will be called to load them.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules')
-rw-r--r-- | policy/modules/services/container.if | 20 | ||||
-rw-r--r-- | policy/modules/system/iptables.te | 5 |
2 files changed, 23 insertions, 2 deletions
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index c9f4aa93..902c31b8 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -482,6 +482,26 @@ interface(`container_search_engine_tmp',` ######################################## ## <summary> +## Allow the specified domain to read +## container engine temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_read_engine_tmp_files',` + gen_require(` + type container_engine_tmp_t; + ') + + container_search_engine_tmp($1) + allow $1 container_engine_tmp_t:file read_file_perms; +') + +######################################## +## <summary> ## Allow the specified domain to manage ## container engine temporary files. ## </summary> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 684d91a2..7c401fa5 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -105,11 +105,12 @@ sysnet_dns_name_resolve(iptables_t) userdom_use_inherited_user_terminals(iptables_t) - - optional_policy(` # iptables may try to rw /ptmx in a container container_dontaudit_rw_chr_files(iptables_t) + + # iptables reads firewall rules written to tmp + container_read_engine_tmp_files(iptables_t) ') optional_policy(` |