Lukas Vrabec informs me that their is a new allow rule nnp_transition
allow container_runtime_t spc_t:process2 nnp_transition;
Which allows me to get rid of all of the typebounds cruft. Very nice.
And will be supported in RHEL7.5 release.
On 01/09/2018 10:45 AM, Daniel Walsh wrote:
On 01/09/2018 10:40 AM, Stephen Smalley wrote:
On Tue, 2018-01-09 at 10:19 -0500, Daniel Walsh wrote:
For some reason semodule will not allow me to install container.pp.
I
am trying to have type bounds from container_runtime_t to spc_t to
container_t.
Any reason this isn't on list?
Nope bad habit. I will send this to the list.
BTW, if you apply my "Generalize support for NNP/nosuid SELinux domain
transitions" kernel patch (or use a kernel that includes it, >= 4.14)
and enable the nnp_nosuid_transition policy capability, you shouldn't
have to use type bounds at all anymore.
I start with no type bounds.
# seinfo --typebounds
Typebounds: 0
During the install it tells me spc_t is already bound by a parent,
no
clue what parent. And cil file does not exist when command
completes.
Yes, that's a real pain. To work around it, I will often run
/usr/libexec/selinux/hll/pp on the pp file to generate the cil file so
I can look at the line numbers reported, ala:
/usr/libexec/selinux/hll/pp container.pp container.cil
vi container.cil
# semodule -X 400 -i container.pp
Type spc_t already bound by parent at
/var/lib/selinux/targeted/tmp/modules/400/container/cil:35
Bad bounds statement at
/var/lib/selinux/targeted/tmp/modules/400/container/cil:1583
semodule: Failed!
I have only the two commands added.
# grep typebounds container.te
# Added to make typebounds check work.
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
# unconfined_typebounds(container_runtime_t)
typebounds container_runtime_t spc_t;
typebounds spc_t container_t;
This is what is generated in the tmp file.
# grep typebounds.* tmp/container.tmp
# unconfined_exec_typebounds(container_runtime_exec_t)
# unconfined_exec_typebounds(container_auth_exec_t)
# Added to make typebounds check work.
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
# unconfined_typebounds(container_runtime_t)
typebounds container_runtime_t spc_t;
typebounds spc_t container_t;
