search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
479 stars 47 forks source link

Add allow rules for container_runtime_t to base_container.cil #20

Closed janzarsky closed 5 years ago

janzarsky commented 5 years ago

Podman version 1.2.0 requires new allow rules.

Fixes: type=AVC msg=audit(1556617434.540:447): avc: denied { create } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1 type=AVC msg=audit(1556617434.541:448): avc: denied { search } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1 type=AVC msg=audit(1556617434.541:449): avc: denied { view } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1 type=AVC msg=audit(1556617434.541:450): avc: denied { setattr } for pid=4692 comm="runc:[2:INIT]" scontext=unconfined_u:system_r:container_runtime_t:s0 tcontext=system_u:system_r:my_container.process:s0:c157,c366 tclass=key permissive=1

wrabcak commented 5 years ago

LGTM.