containers
/
container-selinux
mirror of https://github.com/containers/container-selinux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update container-selinux.8 man page 

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2024-04-25 07:49:24 -04:00 committed by Lokesh Mandvekar
parent 48558153fc
commit 4fda08e915
2 changed files with 30 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
container.te
View File

@ -1476,6 +1476,7 @@ optional_policy(`
unconfined_domain(kubelet_t) unconfined_domain(kubelet_t)
') ')
manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)
type kubelet_exec_t; type kubelet_exec_t;
application_executable_file(kubelet_exec_t) application_executable_file(kubelet_exec_t)

126
container_selinux.8
View File

@ -1,4 +1,4 @@
.TH "container_selinux" "8" "22-12-13" "container" "SELinux Policy container" .TH "container_selinux" "8" "24-04-25" "container" "SELinux Policy container"
.SH "NAME" .SH "NAME"
container_selinux \- Security Enhanced Linux Policy for the container processes container_selinux \- Security Enhanced Linux Policy for the container processes
.SH "DESCRIPTION" .SH "DESCRIPTION"
@ -23,7 +23,7 @@ SELinux container policy is very flexible allowing users to setup their containe
The following process types are defined for container: The following process types are defined for container:
.EX .EX
.B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_t .B container_runtime_t, container_auth_t, container_userns_t, container_logreader_t, container_logwriter_t, container_kvm_t, container_init_t, container_engine_t, container_device_t, container_device_plugin_t, container_device_plugin_init_t, container_user_t, container_t
.EE .EE
.PP .PP
Note: Note:
@ -102,6 +102,12 @@ The following port types are defined for container:
The SELinux process type container_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. The SELinux process type container_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
.br
.B bpf_t
/sys/fs/bpf
.br
.br .br
.B cifs_t .B cifs_t
@ -122,16 +128,26 @@ The SELinux process type container_t can manage files labeled with the following
/var/srv/containers(/.*)? /var/srv/containers(/.*)?
.br .br
/var/lib/containerd/[^/]*/snapshots(/.*)? /var/lib/containerd/[^/]*/snapshots(/.*)?
.br
/var/lib/kubelet/pods(/.*)?
.br .br
/var/lib/kubernetes/pods(/.*)? /var/lib/kubernetes/pods(/.*)?
.br
/opt/local-path-provisioner(/.*)?
.br
/var/local-path-provisioner(/.*)?
.br .br
/var/lib/containers/storage/volumes/[^/]*/.* /var/lib/containers/storage/volumes/[^/]*/.*
.br
/var/lib/kubelet/pod-resources/kubelet.sock
.br .br
/home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.* /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
.br .br
/home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.*
.br
.B ecryptfs_t
/home/[^/]+/\.Private(/.*)?
.br
/home/[^/]+/\.ecryptfs(/.*)?
.br .br
.br .br
@ -141,9 +157,7 @@ The SELinux process type container_t can manage files labeled with the following
.br .br
.B fusefs_t .B fusefs_t
/var/run/user/[0-9]+/gvfs /run/user/[0-9]+/gvfs
.br
/var/run/user/4003/gvfs
.br .br
.br .br
@ -154,38 +168,6 @@ The SELinux process type container_t can manage files labeled with the following
/usr/lib/udev/devices/hugepages /usr/lib/udev/devices/hugepages
.br .br
.br
.B initrc_tmp_t
.br
.B mnt_t
/mnt(/[^/]*)?
.br
/mnt(/[^/]*)?
.br
/rhev(/[^/]*)?
.br
/rhev/[^/]*/.*
.br
/media(/[^/]*)?
.br
/media(/[^/]*)?
.br
/media/\.hal-.*
.br
/var/run/media(/[^/]*)?
.br
/afs
.br
/net
.br
/misc
.br
/rhev
.br
.br .br
.B nfs_t .B nfs_t
@ -209,40 +191,6 @@ The SELinux process type container_t can manage files labeled with the following
.br .br
/home/[^/]+/\.local/share/gnome-boxes/images(/.*)? /home/[^/]+/\.local/share/gnome-boxes/images(/.*)?
.br .br
/home/selinuxuser/\.libvirt/qemu(/.*)?
.br
/home/selinuxuser/\.cache/libvirt/qemu(/.*)?
.br
/home/selinuxuser/\.config/libvirt/qemu(/.*)?
.br
/home/selinuxuser/\.local/share/libvirt/boot(/.*)?
.br
/home/selinuxuser/\.local/share/libvirt/images(/.*)?
.br
/home/selinuxuser/\.local/share/gnome-boxes/images(/.*)?
.br
.br
.B tmp_t
/sandbox(/.*)?
.br
/tmp
.br
/usr/tmp
.br
/var/tmp
.br
/var/tmp
.br
/tmp-inst
.br
/var/tmp-inst
.br
/var/tmp/tmp-inst
.br
/var/tmp/vi\.recover
.br
.SH FILE CONTEXTS .SH FILE CONTEXTS
SELinux requires files to have an extended attribute to define the file type. SELinux requires files to have an extended attribute to define the file type.
@ -312,29 +260,13 @@ container policy stores data with multiple different file context types under th
.B restorecon -R -v /srv/ocid .B restorecon -R -v /srv/ocid
.PP .PP
.PP
container policy stores data with multiple different file context types under the /var/run/containerd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command:
.PP
.B semanage fcontext -a -e /var/run/containerd /srv/containerd
.br
.B restorecon -R -v /srv/containerd
.PP
.PP
container policy stores data with multiple different file context types under the /var/run/docker directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command:
.PP
.B semanage fcontext -a -e /var/run/docker /srv/docker
.br
.B restorecon -R -v /srv/docker
.PP
.PP .PP
.B STANDARD FILE CONTEXT .B STANDARD FILE CONTEXT
SELinux defines the file context types for the container, if you wanted to SELinux defines the file context types for the container, if you wanted to
store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
.B semanage fcontext -a -t container_ro_file_t '/srv/mycontainer_content(/.*)?' .B semanage fcontext -a -t container_var_lib_t '/srv/container/content(/.*)?'
.br .br
.B restorecon -R -v /srv/mycontainer_content .B restorecon -R -v /srv/mycontainer_content
@ -377,7 +309,7 @@ Paths:
.br .br
.TP 5 .TP 5
Paths: Paths:
/srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubelet/pods(/.*)?, /var/lib/kubernetes/pods(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*, /home/selinuxuser/\.local/share/containers/storage/volumes/[^/]*/.* /srv/containers(/.*)?, /var/lib/origin(/.*)?, /var/lib/rkt/cas(/.*)?, /var/lib/nerdctl/[^/]*/volumes(/.*)?, /var/lib/buildkit/[^/]*/snapshots(/.*)?, /var/srv/containers(/.*)?, /var/lib/containerd/[^/]*/snapshots(/.*)?, /var/lib/kubernetes/pods(/.*)?, /opt/local-path-provisioner(/.*)?, /var/local-path-provisioner(/.*)?, /var/lib/containers/storage/volumes/[^/]*/.*, /var/lib/kubelet/pod-resources/kubelet.sock, /home/[^/]+/\.local/share/containers/storage/volumes/[^/]*/.*
.EX .EX
.PP .PP
@ -433,7 +365,7 @@ Paths:
.br .br
.TP 5 .TP 5
Paths: Paths:
/var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay-layers(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-images(/.*)?, /home/selinuxuser/\.local/share/containers/storage/overlay2-layers(/.*)? /var/lib/shared(/.*)?, /var/lib/nerdctl(/.*)?, /var/lib/docker/.*/config\.env, /var/lib/docker/init(/.*)?, /var/lib/containerd/[^/]*/sandboxes(/.*)?, /var/lib/docker/overlay(/.*)?, /var/lib/ocid/sandboxes(/.*)?, /var/lib/docker-latest/.*/config\.env, /var/lib/buildkit/runc-.*/executor(/.*?), /var/lib/docker/overlay2(/.*)?, /var/lib/kata-containers(/.*)?, /var/cache/kata-containers(/.*)?, /var/lib/containers/overlay(/.*)?, /var/lib/docker-latest/init(/.*)?, /var/lib/docker/containers/.*/hosts, /var/lib/docker/containers/.*/hostname, /var/lib/containers/overlay2(/.*)?, /var/lib/buildkit/containerd-.*(/.*?), /var/lib/docker-latest/overlay(/.*)?, /var/lib/docker-latest/overlay2(/.*)?, /var/lib/containers/overlay-images(/.*)?, /var/lib/containers/overlay-layers(/.*)?, /var/lib/docker-latest/containers/.*/hosts, /var/lib/docker-latest/containers/.*/hostname, /var/lib/containers/overlay2-images(/.*)?, /var/lib/containers/overlay2-layers(/.*)?, /var/lib/containers/storage/overlay(/.*)?, /var/lib/containers/storage/overlay2(/.*)?, /var/lib/containers/storage/overlay-images(/.*)?, /var/lib/containers/storage/overlay-layers(/.*)?, /var/lib/containers/storage/overlay2-images(/.*)?, /var/lib/containers/storage/overlay2-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay-layers(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-images(/.*)?, /home/[^/]+/\.local/share/containers/storage/overlay2-layers(/.*)?
.EX .EX
.PP .PP
@ -445,7 +377,7 @@ Paths:
.br .br
.TP 5 .TP 5
Paths: Paths:
/usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin /usr/s?bin/lxc, /usr/s?bin/lxd, /usr/s?bin/crun, /usr/s?bin/runc, /usr/s?bin/crio.*, /usr/s?bin/lxc-.*, /usr/s?bin/lxd-.*, /usr/s?bin/ocid.*, /usr/s?bin/buildah, /usr/s?bin/docker.*, /usr/s?bin/fuidshift, /usr/s?bin/kata-agent, /usr/s?bin/buildkitd.*, /usr/s?bin/containerd.*, /usr/s?bin/buildkit-runc, /usr/s?bin/docker-latest, /usr/s?bin/docker-current, /usr/local/s?bin/crun, /usr/local/s?bin/runc, /usr/local/s?bin/crio.*, /usr/local/s?bin/docker.*, /usr/local/s?bin/kata-agent, /usr/local/s?bin/buildkitd.*, /usr/local/s?bin/containerd.*, /usr/local/s?bin/buildkit-runc, /usr/lib/docker/[^/]*plugin, /usr/libexec/lxc/.*, /usr/libexec/lxd/.*, /usr/bin/container[^/]*plugin, /usr/libexec/docker/.*, /usr/local/lib/docker/[^/]*plugin, /usr/libexec/docker/docker.*, /usr/local/libexec/docker/.*, /usr/local/libexec/docker/docker.*, /usr/bin/podman, /usr/local/bin/podman, /usr/bin/rhel-push-plugin, /usr/sbin/rhel-push-plugin
.EX .EX
.PP .PP
@ -485,7 +417,7 @@ Paths:
.br .br
.TP 5 .TP 5
Paths: Paths:
/exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/lib/docker-latest(/.*)? /exports(/.*)?, /var/lib/cni(/.*)?, /var/lib/lxc(/.*)?, /var/lib/lxd(/.*)?, /var/lib/ocid(/.*)?, /var/lib/docker(/.*)?, /var/lib/kubelet(/.*)?, /var/lib/buildkit(/.*)?, /var/lib/registry(/.*)?, /var/lib/containerd(/.*)?, /var/lib/containers(/.*)?, /var/cache/containers(/.*)?, /var/lib/docker-latest(/.*)?
.EX .EX
.PP .PP
@ -497,7 +429,7 @@ Paths:
.br .br
.TP 5 .TP 5
Paths: Paths:
/var/run/crio(/.*)?, /var/run/docker(/.*)?, /var/run/flannel(/.*)?, /var/run/buildkit(/.*)?, /var/run/containerd(/.*)?, /var/run/containers(/.*)?, /var/run/docker-client(/.*)?, /var/run/docker\.pid, /var/run/docker\.sock /run/crio(/.*)?, /run/docker(/.*)?, /run/flannel(/.*)?, /run/buildkit(/.*)?, /run/containerd(/.*)?, /run/containers(/.*)?, /run/docker-client(/.*)?, /run/docker\.pid, /run/docker\.sock
.PP .PP
Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@ -531,4 +463,4 @@ This manual page was auto-generated using
.B "sepolicy manpage". .B "sepolicy manpage".
.SH "SEE ALSO" .SH "SEE ALSO"
selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_userns_selinux(8), container_userns_selinux(8) selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8)