[lxc-devel] [PATCH] provide an example SELinux policy for older releases
Dwight Engen
dwight.engen at oracle.com
Thu Jul 24 20:47:41 UTC 2014
On Thu, 24 Jul 2014 20:21:41 +0000
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Dwight Engen (dwight.engen at oracle.com):
> > The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5
> > policy is an unconfined_domain(), so it doesn't really enforce
> > anything. This change will provide a link in the documentation to
> > an example policy that does confine containers.
> >
> > On more recent distributions with new enough policy, it is
> > recommended not to use this sample policy, but to use the types
> > already available on the system
> > from /etc/selinux/targeted/contexts/lxc_contexts, ie:
> >
> > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> >
> > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
>
> Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
>
> Stéphane, if you apply this you'll need to add usr/share/lxc/selinux
> to debian/lxc.install in the packaging.
>
> The only weirdness (to my untrained eye) is the gen_require in lxc.te.
> You have lxc_file_t there, but it's defined in the same file right
> above it; you also have lxc_t there, and I don't see that defined
> anywhere - is that defined in
> /etc/selinux/targeted/contexts/lxc_contexts ?
You're right that I don't need to mention lxc_t and lxc_file_t in
gen_require, I'll resend a v2 without those in gen_require. lxc_t is
defined via userdom_unpriv_user_template(lxc) (which does a *lot* of
stuff).
>
> > ---
> > config/Makefile.am | 2 +-
> > config/selinux/Makefile.am | 8 ++++
> > config/selinux/lxc.if | 1 +
> > config/selinux/lxc.te | 90
> > ++++++++++++++++++++++++++++++++++++++++++
> > configure.ac | 1 +
> > doc/lxc.container.conf.sgml.in | 4 +- 6 files changed, 104
> > insertions(+), 2 deletions(-) create mode 100644
> > config/selinux/Makefile.am create mode 100644 config/selinux/lxc.if
> > create mode 100644 config/selinux/lxc.te
> >
> > diff --git a/config/Makefile.am b/config/Makefile.am
> > index e40f842..37fd24b 100644
> > --- a/config/Makefile.am
> > +++ b/config/Makefile.am
> > @@ -1 +1 @@
> > -SUBDIRS = apparmor bash etc init templates yum
> > +SUBDIRS = apparmor bash etc init selinux templates yum
> > diff --git a/config/selinux/Makefile.am b/config/selinux/Makefile.am
> > new file mode 100644
> > index 0000000..9a2b21c
> > --- /dev/null
> > +++ b/config/selinux/Makefile.am
> > @@ -0,0 +1,8 @@
> > +selinuxdir=@DATADIR@/lxc/selinux
> > +
> > +EXTRA_DIST = \
> > + lxc.if lxc.te
> > +
> > +selinux_DATA = \
> > + lxc.if \
> > + lxc.te
> > diff --git a/config/selinux/lxc.if b/config/selinux/lxc.if
> > new file mode 100644
> > index 0000000..3f8f995
> > --- /dev/null
> > +++ b/config/selinux/lxc.if
> > @@ -0,0 +1 @@
> > +## <summary>Policy for LXC containers</summary>
> > diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
> > new file mode 100644
> > index 0000000..3ec2ed1
> > --- /dev/null
> > +++ b/config/selinux/lxc.te
> > @@ -0,0 +1,90 @@
> > +#
> > +# SELinux policy for LXC for RHEL/CentOS/Oracle 6.5.
> > +# It attempts to restrict the container to the same amount of
> > access +# as an unprivileged user. To build and insert this policy
> > module: +#
> > +# make -f /usr/share/selinux/devel/Makefile lxc.pp
> > +# semodule -i lxc.pp
> > +#
> > +# In your container's lxc config:
> > +# lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
> > +#
> > +# Ensure your container's rootfs files are labeled:
> > +# chcon -R
> > system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs +#
> > +# To keep containers separated from each other, you should vary
> > the MCS +# portion of the contexts above to be a unique set of
> > values for each +# container, each MCS compartment can be a number
> > from 0-1023. +#
> > +
> > +policy_module(lxc,0.34)
> > +
> > +userdom_unpriv_user_template(lxc)
> > +
> > +type lxc_file_t;
> > +files_type(lxc_file_t);
> > +role system_r types { lxc_t lxc_file_t };
> > +
> > +gen_require(`
> > + type devpts_t;
> > + type lxc_file_t;
> > + type lxc_t;
> > + type proc_t;
> > + type ssh_port_t;
> > + type sysctl_kernel_t;
> > + type sysctl_modprobe_t;
> > + type sysctl_net_t;
> > + type tmpfs_t;
> > + type unconfined_t;
> > + class filesystem { relabelfrom unmount };
> > + class tcp_socket name_bind;
> > + class udp_socket name_bind;
> > +');
> > +
> > +# So lxc can transition to lxc_t on exec
> > +allow unconfined_t lxc_t:process transition;
> > +can_exec(lxc_t, lxc_file_t)
> > +
> > +# So lxc can dyntransition to lxc_t for attach executing a function
> > +allow unconfined_t lxc_t:process dyntransition;
> > +
> > +# So lxc-start can relabel the pty allocated for the console
> > +allow lxc_file_t devpts_t:filesystem associate;
> > +
> > +# So container can mount /dev/shm and relabel it
> > +allow lxc_t tmpfs_t:filesystem relabelfrom;
> > +
> > +# Allow all access to an lxc_file_t type; devices can be
> > restricted +# with the device cgroup, they are not here
> > +allow lxc_t lxc_file_t:file *;
> > +allow lxc_t lxc_file_t:lnk_file *;
> > +allow lxc_t lxc_file_t:chr_file *;
> > +allow lxc_t lxc_file_t:blk_file *;
> > +allow lxc_t lxc_file_t:sock_file *;
> > +allow lxc_t lxc_file_t:fifo_file *;
> > +allow lxc_t lxc_file_t:socket *;
> > +allow lxc_t lxc_file_t:dir *;
> > +allow lxc_t lxc_file_t:filesystem unmount;
> > +
> > +fs_unmount_all_fs(lxc_t)
> > +
> > +allow lxc_t proc_t:dir mounton;
> > +allow lxc_t proc_t:filesystem mount;
> > +
> > +allow lxc_t tmpfs_t:filesystem mount;
> > +allow lxc_t self:capability { dac_override dac_read_search fsetid
> > ipc_lock net_admin net_bind_service net_broadcast net_raw sys_admin
> > sys_boot sys_tty_config }; + +allow lxc_t sysctl_net_t:file write;
> > +allow lxc_t ssh_port_t:tcp_socket name_bind;
> > +
> > +corenet_tcp_connect_all_ports(lxc_t)
> > +corenet_tcp_bind_all_ports(lxc_t)
> > +corenet_udp_bind_all_ports(lxc_t)
> > +
> > +# Needed for ifup/ip/dhcp
> > +allow lxc_t self:packet_socket create_socket_perms;
> > +allow lxc_t self:rawip_socket create_socket_perms;
> > +allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
> > +
> > +dontaudit lxc_t sysctl_kernel_t:file write;
> > +dontaudit lxc_t sysctl_modprobe_t:file write;
> > diff --git a/configure.ac b/configure.ac
> > index a289162..b88a97e 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -584,6 +584,7 @@ AC_CONFIG_FILES([
> >
> > config/Makefile
> > config/apparmor/Makefile
> > + config/selinux/Makefile
> > config/bash/Makefile
> > config/bash/lxc
> > config/init/Makefile
> > diff --git a/doc/lxc.container.conf.sgml.in
> > b/doc/lxc.container.conf.sgml.in index 4f8e4e9..01cda62 100644
> > --- a/doc/lxc.container.conf.sgml.in
> > +++ b/doc/lxc.container.conf.sgml.in
> > @@ -1055,6 +1055,8 @@ proc proc proc nodev,noexec,nosuid 0 0
> > container should be run can be specified in the container
> > configuration. The default is
> > <command>unconfined_t</command>, which means that lxc will not
> > attempt to change contexts.
> > + See @DATADIR@/lxc/selinux/lxc.te for an example policy and
> > more
> > + information.
> > </para>
> > <variablelist>
> > <varlistentry>
> > @@ -1066,7 +1068,7 @@ proc proc proc nodev,noexec,nosuid 0 0
> > Specify the SELinux context under which the
> > container should be run or <command>unconfined_t</command>. For
> > example </para>
> > - <programlisting>lxc.se_context =
> > unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023</programlisting>
> > + <programlisting>lxc.se_context =
> > system_u:system_r:lxc_t:s0:c0.c1023</programlisting> </listitem>
> > </varlistentry>
> > </variablelist>
> > --
> > 1.9.3
> >
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list