We are now seeing breakage on entrypoint.
If I have a less confined domain and I want to allow unconfined_t to
transition to it, the compiler and the kernel eliminate entrypoints calls.
unconfined_typebounds(svirt_lxc_net_t)
Causes thousands of these errors.
(allow svirt_lxc_net_t ccs_exec_t (file (entrypoint)))
<See previous>
(allow svirt_lxc_net_t canna_initrc_exec_t (file (entrypoint)))
<See previous>
(allow svirt_lxc_net_t canna_exec_t (file (entrypoint)))
<See previous>
(allow svirt_lxc_net_t callweaver_initrc_exec_t (file (entrypoint)))
<See previous>
(allow svirt_lxc_net_t callweaver_exec_t (file (entrypoint)))
<See previous>
(allow svirt_lxc_net_t calamaris_exec_t (file (entrypoint)))
<See previous>
(allow svirt_lxc_net_t cachefilesd_exec_t (file (entrypoint)))
<See previous>
(allow svirt_lxc_net_t bumblebee_exec_t (file (entrypoint)))
<See previous>
Since svirt_lxc_net_t can be entered via an exec_type. But unconfined_t
can not. I think this access should be treated like a target also.
IE Ignored, I don't want to have to allow unconfined_t or docker_t to be
able to be entered by all of the domains that svirt_lxc_net_t could be
entered from.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
