From d6dfcc6f4f8410aa6dd9c4cb86b9ef2d672e361d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 14 Jun 2023 16:12:01 -0400 Subject: [PATCH] Add boolean to allow containers to read all cert files Certain users want to volume mount /etc/pki and friends into a container but still run locked down. Signed-off-by: Daniel J Walsh --- container.te | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/container.te b/container.te index 5f37405..6d0cf01 100644 --- a/container.te +++ b/container.te @@ -1,4 +1,4 @@ -policy_module(container, 2.218.0) +policy_module(container, 2.219.0) gen_require(` class passwd rootok; @@ -17,6 +17,13 @@ gen_require(` ## gen_tunable(container_connect_any, false) +## +##

+## Allow all container domains to read cert files and directories +##

+##
+gen_tunable(container_read_certs, false) + ## ##

## Determine whether sshd can launch container engines @@ -606,6 +613,10 @@ tunable_policy(`container_use_cephfs',` allow container_domain cephfs_t:file execmod; ') +tunable_policy(`container_read_certs',` + miscfiles_read_all_certs(container_domain) +') + gen_require(` type ecryptfs_t; ')