]>
Commit | Line | Data |
---|---|---|
719fae07 DE |
1 | # |
2 | # SELinux policy for LXC for RHEL/CentOS/Oracle 6.5. | |
3 | # It attempts to restrict the container to the same amount of access | |
4 | # as an unprivileged user. To build and insert this policy module: | |
5 | # | |
6 | # make -f /usr/share/selinux/devel/Makefile lxc.pp | |
7 | # semodule -i lxc.pp | |
8 | # | |
9 | # In your container's lxc config: | |
10 | # lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228 | |
11 | # | |
12 | # Ensure your container's rootfs files are labeled: | |
13 | # chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs | |
14 | # | |
15 | # To keep containers separated from each other, you should vary the MCS | |
16 | # portion of the contexts above to be a unique set of values for each | |
17 | # container, each MCS compartment can be a number from 0-1023. | |
18 | # | |
19 | ||
20 | policy_module(lxc,0.35) | |
21 | ||
22 | userdom_unpriv_user_template(lxc) | |
23 | ||
24 | type lxc_file_t; | |
25 | files_type(lxc_file_t); | |
26 | role system_r types { lxc_t lxc_file_t }; | |
27 | ||
28 | gen_require(` | |
29 | type devpts_t; | |
30 | type proc_t; | |
31 | type ssh_port_t; | |
32 | type sysctl_kernel_t; | |
33 | type sysctl_modprobe_t; | |
34 | type sysctl_net_t; | |
35 | type tmpfs_t; | |
36 | type unconfined_t; | |
37 | class filesystem { relabelfrom unmount }; | |
38 | class tcp_socket name_bind; | |
39 | class udp_socket name_bind; | |
40 | '); | |
41 | ||
42 | # So lxc can transition to lxc_t on exec | |
43 | allow unconfined_t lxc_t:process transition; | |
44 | can_exec(lxc_t, lxc_file_t) | |
45 | ||
46 | # So lxc can dyntransition to lxc_t for attach executing a function | |
47 | allow unconfined_t lxc_t:process dyntransition; | |
48 | ||
49 | # So lxc-start can relabel the pty allocated for the console | |
50 | allow lxc_file_t devpts_t:filesystem associate; | |
51 | ||
52 | # So container can mount /dev/shm and relabel it | |
53 | allow lxc_t tmpfs_t:filesystem relabelfrom; | |
54 | ||
55 | # Allow all access to an lxc_file_t type; devices can be restricted | |
56 | # with the device cgroup, they are not here | |
57 | allow lxc_t lxc_file_t:file *; | |
58 | allow lxc_t lxc_file_t:lnk_file *; | |
59 | allow lxc_t lxc_file_t:chr_file *; | |
60 | allow lxc_t lxc_file_t:blk_file *; | |
61 | allow lxc_t lxc_file_t:sock_file *; | |
62 | allow lxc_t lxc_file_t:fifo_file *; | |
63 | allow lxc_t lxc_file_t:socket *; | |
64 | allow lxc_t lxc_file_t:dir *; | |
65 | allow lxc_t lxc_file_t:filesystem unmount; | |
66 | ||
67 | fs_unmount_all_fs(lxc_t) | |
68 | ||
69 | allow lxc_t proc_t:dir mounton; | |
70 | allow lxc_t proc_t:filesystem mount; | |
71 | ||
72 | allow lxc_t tmpfs_t:filesystem mount; | |
73 | allow lxc_t self:capability { dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service net_broadcast net_raw sys_admin sys_boot sys_tty_config }; | |
74 | ||
75 | allow lxc_t sysctl_net_t:file write; | |
76 | allow lxc_t ssh_port_t:tcp_socket name_bind; | |
77 | ||
78 | corenet_tcp_connect_all_ports(lxc_t) | |
79 | corenet_tcp_bind_all_ports(lxc_t) | |
80 | corenet_udp_bind_all_ports(lxc_t) | |
81 | ||
82 | # Needed for ifup/ip/dhcp | |
83 | allow lxc_t self:packet_socket create_socket_perms; | |
84 | allow lxc_t self:rawip_socket create_socket_perms; | |
85 | allow lxc_t self:netlink_route_socket create_netlink_socket_perms; | |
86 | ||
87 | dontaudit lxc_t sysctl_kernel_t:file write; | |
88 | dontaudit lxc_t sysctl_modprobe_t:file write; |