[lxc-devel] [PATCH v2] provide an example SELinux policy for older releases
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Jul 25 02:53:08 UTC 2014
Quoting Dwight Engen (dwight.engen at oracle.com):
> The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5
> policy is an unconfined_domain(), so it doesn't really enforce anything.
> This change will provide a link in the documentation to an example
> policy that does confine containers.
>
> On more recent distributions with new enough policy, it is recommended
> not to use this sample policy, but to use the types already available
> on the system from /etc/selinux/targeted/contexts/lxc_contexts, ie:
>
> process = "system_u:system_r:svirt_lxc_net_t:s0"
> file = "system_u:object_r:svirt_sandbox_file_t:s0"
>
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
Naturally my
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
stands :)
Same warning as before, debian/lxc.install will need an update in ppa
to stop the package build from breaking.
> ---
> v2: remove lxc_t lxc_file_t from gen_require()
>
> config/Makefile.am | 2 +-
> config/selinux/Makefile.am | 8 ++++
> config/selinux/lxc.if | 1 +
> config/selinux/lxc.te | 88 ++++++++++++++++++++++++++++++++++++++++++
> configure.ac | 1 +
> doc/lxc.container.conf.sgml.in | 4 +-
> 6 files changed, 102 insertions(+), 2 deletions(-)
> create mode 100644 config/selinux/Makefile.am
> create mode 100644 config/selinux/lxc.if
> create mode 100644 config/selinux/lxc.te
>
> diff --git a/config/Makefile.am b/config/Makefile.am
> index e40f842..37fd24b 100644
> --- a/config/Makefile.am
> +++ b/config/Makefile.am
> @@ -1 +1 @@
> -SUBDIRS = apparmor bash etc init templates yum
> +SUBDIRS = apparmor bash etc init selinux templates yum
> diff --git a/config/selinux/Makefile.am b/config/selinux/Makefile.am
> new file mode 100644
> index 0000000..9a2b21c
> --- /dev/null
> +++ b/config/selinux/Makefile.am
> @@ -0,0 +1,8 @@
> +selinuxdir=@DATADIR@/lxc/selinux
> +
> +EXTRA_DIST = \
> + lxc.if lxc.te
> +
> +selinux_DATA = \
> + lxc.if \
> + lxc.te
> diff --git a/config/selinux/lxc.if b/config/selinux/lxc.if
> new file mode 100644
> index 0000000..3f8f995
> --- /dev/null
> +++ b/config/selinux/lxc.if
> @@ -0,0 +1 @@
> +## <summary>Policy for LXC containers</summary>
> diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
> new file mode 100644
> index 0000000..fe90871
> --- /dev/null
> +++ b/config/selinux/lxc.te
> @@ -0,0 +1,88 @@
> +#
> +# SELinux policy for LXC for RHEL/CentOS/Oracle 6.5.
> +# It attempts to restrict the container to the same amount of access
> +# as an unprivileged user. To build and insert this policy module:
> +#
> +# make -f /usr/share/selinux/devel/Makefile lxc.pp
> +# semodule -i lxc.pp
> +#
> +# In your container's lxc config:
> +# lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
> +#
> +# Ensure your container's rootfs files are labeled:
> +# chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs
> +#
> +# To keep containers separated from each other, you should vary the MCS
> +# portion of the contexts above to be a unique set of values for each
> +# container, each MCS compartment can be a number from 0-1023.
> +#
> +
> +policy_module(lxc,0.35)
> +
> +userdom_unpriv_user_template(lxc)
> +
> +type lxc_file_t;
> +files_type(lxc_file_t);
> +role system_r types { lxc_t lxc_file_t };
> +
> +gen_require(`
> + type devpts_t;
> + type proc_t;
> + type ssh_port_t;
> + type sysctl_kernel_t;
> + type sysctl_modprobe_t;
> + type sysctl_net_t;
> + type tmpfs_t;
> + type unconfined_t;
> + class filesystem { relabelfrom unmount };
> + class tcp_socket name_bind;
> + class udp_socket name_bind;
> +');
> +
> +# So lxc can transition to lxc_t on exec
> +allow unconfined_t lxc_t:process transition;
> +can_exec(lxc_t, lxc_file_t)
> +
> +# So lxc can dyntransition to lxc_t for attach executing a function
> +allow unconfined_t lxc_t:process dyntransition;
> +
> +# So lxc-start can relabel the pty allocated for the console
> +allow lxc_file_t devpts_t:filesystem associate;
> +
> +# So container can mount /dev/shm and relabel it
> +allow lxc_t tmpfs_t:filesystem relabelfrom;
> +
> +# Allow all access to an lxc_file_t type; devices can be restricted
> +# with the device cgroup, they are not here
> +allow lxc_t lxc_file_t:file *;
> +allow lxc_t lxc_file_t:lnk_file *;
> +allow lxc_t lxc_file_t:chr_file *;
> +allow lxc_t lxc_file_t:blk_file *;
> +allow lxc_t lxc_file_t:sock_file *;
> +allow lxc_t lxc_file_t:fifo_file *;
> +allow lxc_t lxc_file_t:socket *;
> +allow lxc_t lxc_file_t:dir *;
> +allow lxc_t lxc_file_t:filesystem unmount;
> +
> +fs_unmount_all_fs(lxc_t)
> +
> +allow lxc_t proc_t:dir mounton;
> +allow lxc_t proc_t:filesystem mount;
> +
> +allow lxc_t tmpfs_t:filesystem mount;
> +allow lxc_t self:capability { dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service net_broadcast net_raw sys_admin sys_boot sys_tty_config };
> +
> +allow lxc_t sysctl_net_t:file write;
> +allow lxc_t ssh_port_t:tcp_socket name_bind;
> +
> +corenet_tcp_connect_all_ports(lxc_t)
> +corenet_tcp_bind_all_ports(lxc_t)
> +corenet_udp_bind_all_ports(lxc_t)
> +
> +# Needed for ifup/ip/dhcp
> +allow lxc_t self:packet_socket create_socket_perms;
> +allow lxc_t self:rawip_socket create_socket_perms;
> +allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
> +
> +dontaudit lxc_t sysctl_kernel_t:file write;
> +dontaudit lxc_t sysctl_modprobe_t:file write;
> diff --git a/configure.ac b/configure.ac
> index a289162..b88a97e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -584,6 +584,7 @@ AC_CONFIG_FILES([
>
> config/Makefile
> config/apparmor/Makefile
> + config/selinux/Makefile
> config/bash/Makefile
> config/bash/lxc
> config/init/Makefile
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index 4f8e4e9..01cda62 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -1055,6 +1055,8 @@ proc proc proc nodev,noexec,nosuid 0 0
> container should be run can be specified in the container
> configuration. The default is <command>unconfined_t</command>,
> which means that lxc will not attempt to change contexts.
> + See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
> + information.
> </para>
> <variablelist>
> <varlistentry>
> @@ -1066,7 +1068,7 @@ proc proc proc nodev,noexec,nosuid 0 0
> Specify the SELinux context under which the container should
> be run or <command>unconfined_t</command>. For example
> </para>
> - <programlisting>lxc.se_context = unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023</programlisting>
> + <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
> </listitem>
> </varlistentry>
> </variablelist>
> --
> 1.9.3
>
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list