[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Kenton Groombridge]

commit:     c891d981f2fd465d682c8129865613927308c30e
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Feb 10 18:30:56 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:11 2023 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c891d981

container: add missing filetrans and filecon for containerd/docker

Add a missing file transition for the docker socket in /run as well as a
missing file context for /var/log/containerd.

Thanks-to: zen_desu
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/container.fc | 1 +
 policy/modules/services/container.te | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/container.fc 
b/policy/modules/services/container.fc
index 29a02b1d3..056aa6023 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -100,6 +100,7 @@ HOME_DIR/\.docker(/.*)?             
gen_context(system_u:object_r:container_conf_home_t,s0)
 /var/lib/etcd(/.*)?             
gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kube-proxy(/.*)?              
gen_context(system_u:object_r:container_file_t,s0)
 
+/var/log/containerd(/.*)?              
gen_context(system_u:object_r:container_log_t,s0)
 /var/log/containers(/.*)?              
gen_context(system_u:object_r:container_log_t,s0)
 /var/log/crio(/.*)?            
gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?            
gen_context(system_u:object_r:container_log_t,s0)

diff --git a/policy/modules/services/container.te 
b/policy/modules/services/container.te
index 534d6f4c5..15d1e8c88 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -747,7 +747,7 @@ allow container_engine_system_domain 
container_runtime_t:file { manage_file_perm
 allow container_engine_system_domain container_runtime_t:fifo_file { 
manage_fifo_file_perms relabel_fifo_file_perms };
 allow container_engine_system_domain container_runtime_t:lnk_file { 
manage_lnk_file_perms relabel_lnk_file_perms };
 allow container_engine_system_domain container_runtime_t:sock_file { 
manage_sock_file_perms relabel_sock_file_perms };
-files_runtime_filetrans(container_engine_system_domain, container_runtime_t, { 
dir file })
+files_runtime_filetrans(container_engine_system_domain, container_runtime_t, { 
dir file sock_file })
 
 allow container_engine_system_domain container_engine_cache_t:dir 
manage_dir_perms;
 allow container_engine_system_domain container_engine_cache_t:file 
manage_file_perms;