Merge pull request #53 from projectatomic/userns

Add new type to support userns

container.te

@@ -268,7 +268,6 @@ files_read_usr_symlinks(container_runtime_t)
 files_search_locks(container_runtime_t)
 files_dontaudit_unmount_all_mountpoints(container_runtime_t)
 
-
 fs_read_cgroup_files(container_runtime_t)
 fs_read_tmpfs_symlinks(container_runtime_t)
 fs_search_all(container_runtime_t)
@@ -630,7 +629,7 @@ allow container_runtime_t container_domain:fifo_file rw_fifo_file_perms;
 allow container_domain container_runtime_t:fifo_file { rw_fifo_file_perms map };
 allow container_domain container_runtime_t:fd use;
 allow container_runtime_t container_domain:fd use;
-allow container_t self:socket_class_set create_socket_perms;
+allow container_domain self:socket_class_set { create_socket_perms map };
 
 dontaudit container_domain self:capability fsetid;
 allow container_domain self:association sendto;
@@ -686,7 +685,7 @@ dev_list_sysfs(container_domain)
 allow svirt_sandbox_domain self:key manage_key_perms;
 dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
 
-allow container_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
 allow container_domain self:fifo_file manage_file_perms;
 allow container_domain self:msg all_msg_perms;
 allow container_domain self:sem create_sem_perms;
@@ -740,8 +739,8 @@ gen_require(`
 	type cgroup_t;
 ')
 
-dev_read_sysfs(container_t)
-dev_read_mtrr(container_t)
+dev_read_sysfs(container_domain)
+dev_read_mtrr(container_domain)
 dev_read_rand(container_t)
 dev_read_urand(container_t)
 
@@ -754,16 +753,22 @@ tunable_policy(`virt_sandbox_use_sys_admin',`
 	allow container_t self:cap_userns sys_admin;
 ')
 
-allow container_t self:process { getsession execstack execmem };
-allow container_t self:cap_userns dac_override;
+allow container_domain self:cap_userns sys_admin;
+allow container_domain self:process { getsession execstack execmem };
 
 virt_default_capabilities(container_t)
-kernel_rw_rpc_sysctls(container_t)
-kernel_rw_net_sysctls(container_t)
+kernel_rw_rpc_sysctls(container_domain)
+kernel_rw_net_sysctls(container_domain)
 kernel_read_messages(container_t)
-kernel_read_network_state(container_t)
-kernel_dontaudit_write_proc_files(container_t)
-kernel_mounton_proc(container_t)
+kernel_read_network_state(container_domain)
+kernel_dontaudit_write_proc_files(container_domain)
+kernel_unlabeled_domtrans(container_runtime_t, spc_t)
+kernel_unlabeled_entry_type(spc_t)
+#kernel_dontaudit_write_usermodehelper_state(container_t)
+gen_require(`
+	type usermodehelper_t;
+')
+dontaudit container_t usermodehelper_t:file write;
 
 fs_read_cgroup_files(container_t)
 fs_list_cgroup_dirs(container_t)
@@ -840,6 +845,7 @@ gen_require(`
 	type iptables_t;
 ')
 container_read_pid_files(iptables_t)
+container_read_state(iptables_t)
 
 optional_policy(`
 	gen_require(`
@@ -859,3 +865,51 @@ optional_policy(`
 	container_filetrans_named_content(unconfined_domain_type)
 	allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition };
 ')
+
+#
+# container_userns_t policy
+#
+container_domain_template(container_userns)
+
+virt_sandbox_domain(container_userns_t)
+typeattribute  container_userns_t sandbox_net_domain;
+dev_mount_sysfs_fs(container_userns_t)
+dev_mounton_sysfs(container_userns_t)
+
+fs_mount_tmpfs(container_userns_t)
+fs_remount_cgroup(container_userns_t)
+
+kernel_mount_proc(container_userns_t)
+kernel_mount_proc(container_userns_t)
+kernel_mounton_proc(container_userns_t)
+kernel_mounton_proc(container_userns_t)
+
+term_use_generic_ptys(container_userns_t)
+term_setattr_generic_ptys(container_userns_t)
+term_mount_pty_fs(container_userns_t)
+
+allow container_userns_t self:capability ~{ sys_module };
+allow container_userns_t self:capability2 ~{ mac_override mac_admin };
+allow container_userns_t self:cap_userns ~{ sys_module };
+allow container_userns_t self:cap2_userns ~{ mac_override mac_admin };
+allow container_userns_t self:capability mknod;
+allow container_userns_t self:cap_userns mknod;
+
+optional_policy(`
+	gen_require(`
+		type proc_t, proc_kcore_t;
+		type sysctl_t, sysctl_irq_t;
+	')
+
+	allow container_userns_t proc_t:filesystem { remount };
+	allow container_userns_t proc_kcore_t:file mounton;
+	allow container_userns_t sysctl_irq_t:dir mounton;
+	allow container_userns_t sysctl_t:dir mounton;
+	allow container_userns_t sysctl_t:file mounton;
+')
+
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
+	allow container_userns_t self:capability sys_admin;
+	allow container_userns_t self:cap_userns sys_admin;
+')