Improve permission set for log_container template

containers / udica

This repository contains a tool for generating SELinux security profiles for containers

GNU General Public License v3.0

479 stars 47 forks source link

Improve permission set for log_container template #44

Closed JAORMX closed 5 years ago

JAORMX commented 5 years ago

For the log_rw_container it wasn't possible to create new files, which is something that's normally required. So we're adding this capability, while still not allowing that container to rename that directory or remove files from it as a security measure.

The audit_log_t file was also modified to be more restrictive for the log_rw_container block, so we only allow reads now. However, the write capability was left for the log_manage_container block.

JAORMX commented 5 years ago

@wrabcak what do you think about the comment?

wrabcak commented 5 years ago

Hi @JAORMX , The best will be allow caller domain to read/write also directories labeled as var_log_t (and var_log_t label is part of logfile attribute). So line 20 we don't need at all and please line 5 change with following line: "(allow process logfile (dir (ioctl read write getattr lock search open)))"

Thanks! Lukas.

wrabcak commented 5 years ago

Cirrus CI is failing but it looks like unrelated issue to this PR. Merging.

Thanks, Lukas.