[lxc-devel] [PATCH] provide an example SELinux policy for older releases

Dwight Engen dwight.engen at oracle.com
Thu Jul 24 20:47:41 UTC 2014


On Thu, 24 Jul 2014 20:21:41 +0000
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:

> Quoting Dwight Engen (dwight.engen at oracle.com):
> > The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5
> > policy is an unconfined_domain(), so it doesn't really enforce
> > anything. This change will provide a link in the documentation to
> > an example policy that does confine containers.
> > 
> > On more recent distributions with new enough policy, it is
> > recommended not to use this sample policy, but to use the types
> > already available on the system
> > from /etc/selinux/targeted/contexts/lxc_contexts, ie:
> > 
> > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> > 
> > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> 
> Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> 
> Stéphane, if you apply this you'll need to add usr/share/lxc/selinux
> to debian/lxc.install in the packaging.
> 
> The only weirdness (to my untrained eye) is the gen_require in lxc.te.
> You have lxc_file_t there, but it's defined in the same file right
> above it;  you also have lxc_t there, and I don't see that defined
> anywhere - is that defined in 
> /etc/selinux/targeted/contexts/lxc_contexts ?

You're right that I don't need to mention lxc_t and lxc_file_t in
gen_require, I'll resend a v2 without those in gen_require. lxc_t is
defined via userdom_unpriv_user_template(lxc) (which does a *lot* of
stuff).

> 
> > ---
> >  config/Makefile.am             |  2 +-
> >  config/selinux/Makefile.am     |  8 ++++
> >  config/selinux/lxc.if          |  1 +
> >  config/selinux/lxc.te          | 90
> > ++++++++++++++++++++++++++++++++++++++++++
> > configure.ac                   |  1 +
> > doc/lxc.container.conf.sgml.in |  4 +- 6 files changed, 104
> > insertions(+), 2 deletions(-) create mode 100644
> > config/selinux/Makefile.am create mode 100644 config/selinux/lxc.if
> >  create mode 100644 config/selinux/lxc.te
> > 
> > diff --git a/config/Makefile.am b/config/Makefile.am
> > index e40f842..37fd24b 100644
> > --- a/config/Makefile.am
> > +++ b/config/Makefile.am
> > @@ -1 +1 @@
> > -SUBDIRS = apparmor bash etc init templates yum
> > +SUBDIRS = apparmor bash etc init selinux templates yum
> > diff --git a/config/selinux/Makefile.am b/config/selinux/Makefile.am
> > new file mode 100644
> > index 0000000..9a2b21c
> > --- /dev/null
> > +++ b/config/selinux/Makefile.am
> > @@ -0,0 +1,8 @@
> > +selinuxdir=@DATADIR@/lxc/selinux
> > +
> > +EXTRA_DIST = \
> > +	lxc.if lxc.te
> > +
> > +selinux_DATA = \
> > +	lxc.if \
> > +	lxc.te
> > diff --git a/config/selinux/lxc.if b/config/selinux/lxc.if
> > new file mode 100644
> > index 0000000..3f8f995
> > --- /dev/null
> > +++ b/config/selinux/lxc.if
> > @@ -0,0 +1 @@
> > +## <summary>Policy for LXC containers</summary>
> > diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
> > new file mode 100644
> > index 0000000..3ec2ed1
> > --- /dev/null
> > +++ b/config/selinux/lxc.te
> > @@ -0,0 +1,90 @@
> > +#
> > +# SELinux policy for LXC for RHEL/CentOS/Oracle 6.5.
> > +# It attempts to restrict the container to the same amount of
> > access +# as an unprivileged user. To build and insert this policy
> > module: +#
> > +# make -f /usr/share/selinux/devel/Makefile lxc.pp
> > +# semodule -i lxc.pp
> > +#
> > +# In your container's lxc config:
> > +#   lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
> > +#
> > +# Ensure your container's rootfs files are labeled:
> > +#   chcon -R
> > system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs +#
> > +# To keep containers separated from each other, you should vary
> > the MCS +# portion of the contexts above to be a unique set of
> > values for each +# container, each MCS compartment can be a number
> > from 0-1023. +#
> > +
> > +policy_module(lxc,0.34)
> > +
> > +userdom_unpriv_user_template(lxc)
> > +
> > +type lxc_file_t;
> > +files_type(lxc_file_t);
> > +role system_r types { lxc_t lxc_file_t };
> > +
> > +gen_require(`
> > +	type devpts_t;
> > +	type lxc_file_t;
> > +	type lxc_t;
> > +	type proc_t;
> > +	type ssh_port_t;
> > +	type sysctl_kernel_t;
> > +	type sysctl_modprobe_t;
> > +	type sysctl_net_t;
> > +	type tmpfs_t;
> > +	type unconfined_t;
> > +	class filesystem { relabelfrom unmount };
> > +	class tcp_socket name_bind;
> > +	class udp_socket name_bind;
> > +');
> > +
> > +# So lxc can transition to lxc_t on exec
> > +allow unconfined_t lxc_t:process transition;
> > +can_exec(lxc_t, lxc_file_t)
> > +
> > +# So lxc can dyntransition to lxc_t for attach executing a function
> > +allow unconfined_t lxc_t:process dyntransition;
> > +
> > +# So lxc-start can relabel the pty allocated for the console
> > +allow lxc_file_t devpts_t:filesystem associate;
> > +
> > +# So container can mount /dev/shm and relabel it
> > +allow lxc_t tmpfs_t:filesystem relabelfrom;
> > +
> > +# Allow all access to an lxc_file_t type; devices can be
> > restricted +# with the device cgroup, they are not here
> > +allow lxc_t lxc_file_t:file *;
> > +allow lxc_t lxc_file_t:lnk_file *;
> > +allow lxc_t lxc_file_t:chr_file *;
> > +allow lxc_t lxc_file_t:blk_file *;
> > +allow lxc_t lxc_file_t:sock_file *;
> > +allow lxc_t lxc_file_t:fifo_file *;
> > +allow lxc_t lxc_file_t:socket *;
> > +allow lxc_t lxc_file_t:dir *;
> > +allow lxc_t lxc_file_t:filesystem unmount;
> > +
> > +fs_unmount_all_fs(lxc_t)
> > +
> > +allow lxc_t proc_t:dir mounton;
> > +allow lxc_t proc_t:filesystem mount;
> > +
> > +allow lxc_t tmpfs_t:filesystem mount;
> > +allow lxc_t self:capability { dac_override dac_read_search fsetid
> > ipc_lock net_admin net_bind_service net_broadcast net_raw sys_admin
> > sys_boot sys_tty_config }; + +allow lxc_t sysctl_net_t:file write;
> > +allow lxc_t ssh_port_t:tcp_socket name_bind;
> > +
> > +corenet_tcp_connect_all_ports(lxc_t)
> > +corenet_tcp_bind_all_ports(lxc_t)
> > +corenet_udp_bind_all_ports(lxc_t)
> > +
> > +# Needed for ifup/ip/dhcp
> > +allow lxc_t self:packet_socket create_socket_perms;
> > +allow lxc_t self:rawip_socket create_socket_perms;
> > +allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
> > +
> > +dontaudit lxc_t sysctl_kernel_t:file write;
> > +dontaudit lxc_t sysctl_modprobe_t:file write;
> > diff --git a/configure.ac b/configure.ac
> > index a289162..b88a97e 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -584,6 +584,7 @@ AC_CONFIG_FILES([
> >  
> >  	config/Makefile
> >  	config/apparmor/Makefile
> > +	config/selinux/Makefile
> >  	config/bash/Makefile
> >  	config/bash/lxc
> >  	config/init/Makefile
> > diff --git a/doc/lxc.container.conf.sgml.in
> > b/doc/lxc.container.conf.sgml.in index 4f8e4e9..01cda62 100644
> > --- a/doc/lxc.container.conf.sgml.in
> > +++ b/doc/lxc.container.conf.sgml.in
> > @@ -1055,6 +1055,8 @@ proc proc proc nodev,noexec,nosuid 0 0
> >  	container should be run can be specified in the container
> >  	configuration.  The default is
> > <command>unconfined_t</command>, which means that lxc will not
> > attempt to change contexts.
> > +	See @DATADIR@/lxc/selinux/lxc.te for an example policy and
> > more
> > +	information.
> >        </para>
> >        <variablelist>
> >  	<varlistentry>
> > @@ -1066,7 +1068,7 @@ proc proc proc nodev,noexec,nosuid 0 0
> >  	      Specify the SELinux context under which the
> > container should be run or <command>unconfined_t</command>. For
> > example </para>
> > -	    <programlisting>lxc.se_context =
> > unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023</programlisting>
> > +	    <programlisting>lxc.se_context =
> > system_u:system_r:lxc_t:s0:c0.c1023</programlisting> </listitem>
> >  	</varlistentry>
> >        </variablelist>
> > -- 
> > 1.9.3
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel



More information about the lxc-devel mailing list