From 233e620d6d0e4dc357e58908a9e8abd6e9e94a94 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Sat, 15 May 2021 06:28:23 -0400
Subject: [PATCH] Fix labeling in users homedir

With the advent of rootless overlay, we now need to label
content in the users homedirectory correctly.  This Patch
will fix the homedir labeling.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 container.fc |  8 ++++++++
 container.if | 10 ++++++++++
 container.te |  3 ++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/container.fc b/container.fc
index d918a68..bff8175 100644
--- a/container.fc
+++ b/container.fc
@@ -62,6 +62,14 @@
 /var/lib/containerd/[^/]*/snapshots(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containerd/[^/]*/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 
+HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
+
 /var/lib/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/containers/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
diff --git a/container.if b/container.if
index 2bc8cd9..f878ad2 100644
--- a/container.if
+++ b/container.if
@@ -497,6 +497,7 @@ interface(`container_filetrans_named_content',`
 	type kubernetes_file_t;
 	type container_runtime_tmpfs_t;
 	type container_kvm_var_run_t;
+	type data_home_t;
     ')
 
     files_pid_filetrans($1, container_var_run_t, file, "container.pid")
@@ -532,9 +533,18 @@ interface(`container_filetrans_named_content',`
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-images")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-layers")
+
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers")
+
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic")
     userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container")
     filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
+    filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers")
     filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
     files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
 ')
diff --git a/container.te b/container.te
index bf4353d..4433c3e 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,5 @@
-policy_module(container, 2.162.0)
+policy_module(container, 2.162.1)
+
 gen_require(`
 	class passwd rootok;
 ')