folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

selinux-policy: Silence io.containerd.internal.v1.opt denial noise. (#6449) 

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
This commit is contained in:
Chris PeBenito 2023-10-27 16:06:24 -04:00 committed by GitHub
parent 4143c24dbf
commit 32fded6ef4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
SPECS/selinux-policy/0041-docker-Silence-io.containerd.internal.v1.opt-opt-con.patch Normal file
View File

@ -0,0 +1,88 @@
From 9475c49702bbc028b67e4ddbd0fe3d5a81ad354a Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Tue, 17 Oct 2023 13:59:45 +0000
Subject: [PATCH 42/42] docker: Silence io.containerd.internal.v1.opt
/opt/containerd creation.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
policy/modules/kernel/files.if | 36 +++++++++++++++++++++++++++++++
policy/modules/services/docker.te | 6 ++++++
2 files changed, 42 insertions(+)
MSFT_TAG: pending
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b95270960..487b9d1a5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2049,6 +2049,24 @@ interface(`files_dontaudit_rw_root_dir',`
dontaudit $1 root_t:dir rw_dir_perms;
')
+########################################
+## <summary>
+## Do not audit attempts to create root dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_create_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:dir create_dir_perms;
+')
+
########################################
## <summary>
## Watch the root directory.
@@ -5310,6 +5328,24 @@ interface(`files_dontaudit_rw_usr_dirs',`
dontaudit $1 usr_t:dir rw_dir_perms;
')
+########################################
+## <summary>
+## Do not audit attempts to create generic directories in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_create_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:dir create_dir_perms;
+')
+
########################################
## <summary>
## Delete generic directories in /usr in the caller domain.
diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
index 320d8ce84..4d0e88bd3 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -46,6 +46,12 @@ files_search_mnt(dockerd_t)
# but only when btrfs support is disabled
files_read_kernel_symbol_table(dockerd_t)
files_dontaudit_write_usr_dirs(dockerd_t)
+# Silence /opt/containerd/{bin,lib} creation in io.containerd.internal.v1.opt
+# It does not use selabel to figure out how to label these dirs.
+files_dontaudit_create_root_dirs(dockerd_t)
+files_dontaudit_rw_root_dir(dockerd_t)
+files_dontaudit_create_usr_dirs(dockerd_t)
+files_dontaudit_rw_usr_dirs(dockerd_t)
kernel_relabelfrom_unlabeled_dirs(dockerd_t)
# docker wants to load binfmt_misc
--
2.34.1

6
SPECS/selinux-policy/selinux-policy.spec
View File

@ -9,7 +9,7 @@
Summary: SELinux policy
Name: selinux-policy
Version: %{refpolicy_major}.%{refpolicy_minor}
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -59,6 +59,7 @@ Patch37: 0037-cloudinit-Add-permissions-derived-from-sysadm.patch
Patch38: 0038-systemd-Fix-run-systemd-shutdown-handling.patch
Patch39: 0039-modutils-Temporary-fix-for-mkinitrd-dracut.patch
Patch40: 0040-For-systemd-hostnamed-service-to-run.patch
Patch41: 0041-docker-Silence-io.containerd.internal.v1.opt-opt-con.patch
BuildRequires: bzip2
BuildRequires: checkpolicy >= %{CHECKPOLICYVER}
BuildRequires: m4
@ -344,6 +345,9 @@ exit 0
selinuxenabled && semodule -nB
exit 0
%changelog
* Tue Oct 17 2023 Chris PeBenito <chpebeni@microsoft.com> - 2.20221101-5
- Silence noise in containerd io.containerd.internal.v1.opt plugin.
* Thu Sep 28 2023 Chris PeBenito <chpebeni@microsoft.com> - 2.20221101-4
- Cherry pick systemd-hostnamed fix for handling /run/systemd/default-hostname.