[lxc-devel] [PATCH] provide an example SELinux policy for older releases

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jul 24 20:21:41 UTC 2014 

Quoting Dwight Engen (dwight.engen at oracle.com):
> The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5
> policy is an unconfined_domain(), so it doesn't really enforce anything.
> This change will provide a link in the documentation to an example
> policy that does confine containers.
> 
> On more recent distributions with new enough policy, it is recommended
> not to use this sample policy, but to use the types already available
> on the system from /etc/selinux/targeted/contexts/lxc_contexts, ie:
> 
> process = "system_u:system_r:svirt_lxc_net_t:s0"
> file = "system_u:object_r:svirt_sandbox_file_t:s0"
> 
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

Stéphane, if you apply this you'll need to add usr/share/lxc/selinux
to debian/lxc.install in the packaging.

The only weirdness (to my untrained eye) is the gen_require in lxc.te.
You have lxc_file_t there, but it's defined in the same file right above
it;  you also have lxc_t there, and I don't see that defined anywhere -
is that defined in 
/etc/selinux/targeted/contexts/lxc_contexts ?

> ---
>  config/Makefile.am             |  2 +-
>  config/selinux/Makefile.am     |  8 ++++
>  config/selinux/lxc.if          |  1 +
>  config/selinux/lxc.te          | 90 ++++++++++++++++++++++++++++++++++++++++++
>  configure.ac                   |  1 +
>  doc/lxc.container.conf.sgml.in |  4 +-
>  6 files changed, 104 insertions(+), 2 deletions(-)
>  create mode 100644 config/selinux/Makefile.am
>  create mode 100644 config/selinux/lxc.if
>  create mode 100644 config/selinux/lxc.te
> 
> diff --git a/config/Makefile.am b/config/Makefile.am
> index e40f842..37fd24b 100644
> --- a/config/Makefile.am
> +++ b/config/Makefile.am
> @@ -1 +1 @@
> -SUBDIRS = apparmor bash etc init templates yum
> +SUBDIRS = apparmor bash etc init selinux templates yum
> diff --git a/config/selinux/Makefile.am b/config/selinux/Makefile.am
> new file mode 100644
> index 0000000..9a2b21c
> --- /dev/null
> +++ b/config/selinux/Makefile.am
> @@ -0,0 +1,8 @@
> +selinuxdir=@DATADIR@/lxc/selinux
> +
> +EXTRA_DIST = \
> +	lxc.if lxc.te
> +
> +selinux_DATA = \
> +	lxc.if \
> +	lxc.te
> diff --git a/config/selinux/lxc.if b/config/selinux/lxc.if
> new file mode 100644
> index 0000000..3f8f995
> --- /dev/null
> +++ b/config/selinux/lxc.if
> @@ -0,0 +1 @@
> +## <summary>Policy for LXC containers</summary>
> diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
> new file mode 100644
> index 0000000..3ec2ed1
> --- /dev/null
> +++ b/config/selinux/lxc.te
> @@ -0,0 +1,90 @@
> +#
> +# SELinux policy for LXC for RHEL/CentOS/Oracle 6.5.
> +# It attempts to restrict the container to the same amount of access
> +# as an unprivileged user. To build and insert this policy module:
> +#
> +# make -f /usr/share/selinux/devel/Makefile lxc.pp
> +# semodule -i lxc.pp
> +#
> +# In your container's lxc config:
> +#   lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
> +#
> +# Ensure your container's rootfs files are labeled:
> +#   chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs
> +#
> +# To keep containers separated from each other, you should vary the MCS
> +# portion of the contexts above to be a unique set of values for each
> +# container, each MCS compartment can be a number from 0-1023.
> +#
> +
> +policy_module(lxc,0.34)
> +
> +userdom_unpriv_user_template(lxc)
> +
> +type lxc_file_t;
> +files_type(lxc_file_t);
> +role system_r types { lxc_t lxc_file_t };
> +
> +gen_require(`
> +	type devpts_t;
> +	type lxc_file_t;
> +	type lxc_t;
> +	type proc_t;
> +	type ssh_port_t;
> +	type sysctl_kernel_t;
> +	type sysctl_modprobe_t;
> +	type sysctl_net_t;
> +	type tmpfs_t;
> +	type unconfined_t;
> +	class filesystem { relabelfrom unmount };
> +	class tcp_socket name_bind;
> +	class udp_socket name_bind;
> +');
> +
> +# So lxc can transition to lxc_t on exec
> +allow unconfined_t lxc_t:process transition;
> +can_exec(lxc_t, lxc_file_t)
> +
> +# So lxc can dyntransition to lxc_t for attach executing a function
> +allow unconfined_t lxc_t:process dyntransition;
> +
> +# So lxc-start can relabel the pty allocated for the console
> +allow lxc_file_t devpts_t:filesystem associate;
> +
> +# So container can mount /dev/shm and relabel it
> +allow lxc_t tmpfs_t:filesystem relabelfrom;
> +
> +# Allow all access to an lxc_file_t type; devices can be restricted 
> +# with the device cgroup, they are not here
> +allow lxc_t lxc_file_t:file *;
> +allow lxc_t lxc_file_t:lnk_file *;
> +allow lxc_t lxc_file_t:chr_file *;
> +allow lxc_t lxc_file_t:blk_file *;
> +allow lxc_t lxc_file_t:sock_file *;
> +allow lxc_t lxc_file_t:fifo_file *;
> +allow lxc_t lxc_file_t:socket *;
> +allow lxc_t lxc_file_t:dir *;
> +allow lxc_t lxc_file_t:filesystem unmount;
> +
> +fs_unmount_all_fs(lxc_t)
> +
> +allow lxc_t proc_t:dir mounton;
> +allow lxc_t proc_t:filesystem mount;
> +
> +allow lxc_t tmpfs_t:filesystem mount;
> +allow lxc_t self:capability { dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service net_broadcast net_raw sys_admin sys_boot sys_tty_config };
> +
> +allow lxc_t sysctl_net_t:file write;
> +allow lxc_t ssh_port_t:tcp_socket name_bind;
> +
> +corenet_tcp_connect_all_ports(lxc_t)
> +corenet_tcp_bind_all_ports(lxc_t)
> +corenet_udp_bind_all_ports(lxc_t)
> +
> +# Needed for ifup/ip/dhcp
> +allow lxc_t self:packet_socket create_socket_perms;
> +allow lxc_t self:rawip_socket create_socket_perms;
> +allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
> +
> +dontaudit lxc_t sysctl_kernel_t:file write;
> +dontaudit lxc_t sysctl_modprobe_t:file write;
> diff --git a/configure.ac b/configure.ac
> index a289162..b88a97e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -584,6 +584,7 @@ AC_CONFIG_FILES([
>  
>  	config/Makefile
>  	config/apparmor/Makefile
> +	config/selinux/Makefile
>  	config/bash/Makefile
>  	config/bash/lxc
>  	config/init/Makefile
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index 4f8e4e9..01cda62 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -1055,6 +1055,8 @@ proc proc proc nodev,noexec,nosuid 0 0
>  	container should be run can be specified in the container
>  	configuration.  The default is <command>unconfined_t</command>,
>  	which means that lxc will not attempt to change contexts.
> +	See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
> +	information.
>        </para>
>        <variablelist>
>  	<varlistentry>
> @@ -1066,7 +1068,7 @@ proc proc proc nodev,noexec,nosuid 0 0
>  	      Specify the SELinux context under which the container should
>  	      be run or <command>unconfined_t</command>. For example
>  	    </para>
> -	    <programlisting>lxc.se_context = unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023</programlisting>
> +	    <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c0.c1023</programlisting>
>  	  </listitem>
>  	</varlistentry>
>        </variablelist>
> -- 
> 1.9.3
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list