Skip to content

Commit d8bdb3c

Browse files
ginglis13ginglis13
authored
Merge pull request #579 from ginglis13/soci-selinux
selinux: support for soci-snapshotter
2 parents 0352280 + a2cfdbf commit d8bdb3c

File tree

3 files changed

+14
-2
lines changed

3 files changed

+14
-2
lines changed

packages/selinux-policy/fs.cil

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@
5858
(filecon "/.*/usr(/fips)?/bin/host-ctr" file runtime_exec)
5959
(filecon "/.*/usr(/fips)?/bin/runc.*" file runtime_exec)
6060
(filecon "/.*/usr(/fips)?/bin/shibaken" file api_exec)
61+
(filecon "/.*/usr(/fips)?/bin/soci-snapshotter.*" file runtime_exec)
6162

6263
; Label local storage mounts.
6364
(filecon "/local" any local)

packages/selinux-policy/object.cil

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,11 @@
138138
(roletype object_r secret_t)
139139
(context secret (system_u object_r secret_t s0))
140140

141+
; Files for saved system secrets in config files in /etc.
142+
(type etc_secret_t)
143+
(roletype object_r etc_secret_t)
144+
(context etc_secret (system_u object_r etc_secret_t s0))
145+
141146
; Dynamic objects are files on temporary storage with special rules.
142147
(typeattribute dynamic_o)
143148
(typeattributeset dynamic_o (etc_t binfmt_misc_fs_t))
@@ -162,7 +167,7 @@
162167
; modified by system-level processes.
163168
(typeattribute write_restricted_o)
164169
(typeattributeset write_restricted_o (
165-
cache_t csi_exec_t lease_t measure_t secret_t state_t private_t))
170+
cache_t csi_exec_t lease_t measure_t secret_t etc_secret_t state_t private_t))
166171

167172
; Read-restricted objects are files on local storage that can only be
168173
; opened by system-level processes.
@@ -210,6 +215,6 @@
210215
network_exec_t bus_exec_t runtime_exec_t
211216
mount_exec_t cni_exec_t csi_exec_t
212217
any_t etc_t proc_t binfmt_misc_fs_t
213-
local_t data_t private_t secret_t cache_t
218+
local_t data_t private_t secret_t etc_secret_t cache_t
214219
lease_t measure_t state_t
215220
api_socket_t))

packages/selinux-policy/rules.cil

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,12 @@
221221
(allow api_s secret_t (files (mutate mount)))
222222
(allow runtime_s secret_t (files (mutate mount)))
223223

224+
; Trusted components can modify secrets stored in /etc config files.
225+
(allow trusted_s etc_secret_t (files (mutate)))
226+
227+
; Untrusted components cannot modify secrets stored in /etc config files.
228+
(neverallow untrusted_s etc_secret_t (files (mutate)))
229+
224230
; Subjects that control the OS can write to and manage mounts for
225231
; "sensitive" files and directories on /local.
226232
(allow control_s sensitive_o (files (mutate mount)))

0 commit comments

Comments
 (0)