Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alternative Installation Method #7

Open
fifofonix opened this issue Apr 2, 2020 · 1 comment
Open

Alternative Installation Method #7

fifofonix opened this issue Apr 2, 2020 · 1 comment

Comments

@fifofonix
Copy link

Thanks for this repo because I'm new to SELinux and it helped me a lot.

Note however after starting with the method you have here for installation I actually simplified things by converting your policy to the human-readable CIL format cat dockersock.pp | /usr/libexec/selinux/hll/pp > dockersock.cil and this allowed me to install it in a single line semodule -I dockersock.cil.

For my use case which involves provisioning FedoraCoreOS (FCOS) boxes, which do not come with checkpolicy installed, this avoided layering a time consuming OS modification sudo rpm-ostree install checkpolicy to our boot processes.
@jmariondev
Copy link

For those finding this issue in the future, here is the CIL produced so you don't need to run the compilation yourself:

(The types used here are for Fedora 32, these are probably different on other platforms, see #4)

(typeattributeset cil_gen_require container_runtime_t)
(typeattributeset cil_gen_require container_t)
(allow container_t container_runtime_t (unix_stream_socket (connectto)))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmariondev @fifofonix