[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

Sat, 21 Sep 2024 17:03:42 -0700 

commit:     2e1192a4f76b25a7f91cdda83ffddaea56723119
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug  9 19:23:24 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2e1192a4

iptables: allow reading container engine tmp files

When multus creates a new network, iptables rules get written to /tmp
and iptables will be called to load them.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 20 ++++++++++++++++++++
 policy/modules/system/iptables.te    |  5 +++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/container.if 
b/policy/modules/services/container.if
index c9f4aa934..902c31b89 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -480,6 +480,26 @@ interface(`container_search_engine_tmp',`
        allow $1 container_engine_tmp_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Allow the specified domain to read
+##     container engine temporary files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`container_read_engine_tmp_files',`
+       gen_require(`
+               type container_engine_tmp_t;
+       ')
+
+       container_search_engine_tmp($1)
+       allow $1 container_engine_tmp_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Allow the specified domain to manage

diff --git a/policy/modules/system/iptables.te 
b/policy/modules/system/iptables.te
index 684d91a25..7c401fa50 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -105,11 +105,12 @@ sysnet_dns_name_resolve(iptables_t)
 
 userdom_use_inherited_user_terminals(iptables_t)
 
-
-
 optional_policy(`
        # iptables may try to rw /ptmx in a container
        container_dontaudit_rw_chr_files(iptables_t)
+
+       # iptables reads firewall rules written to tmp
+       container_read_engine_tmp_files(iptables_t)
 ')
 
 optional_policy(`

Reply via email to