containers
/
container-selinux
mirror of https://github.com/containers/container-selinux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
688 Commits 8 Branches 166 Tags 1 MiB
Commit Graph

7 Commits

Author SHA1 Message Date
Daniel J Walsh ae94810449
Bump to v2.236.0 
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
 2025-03-12 06:53:54 -04:00
Daniel J Walsh 4fda08e915 Update container-selinux.8 man page 
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
 2024-05-31 11:46:41 -04:00
Daniel J Walsh 2b77627e30
Fix spelling mistake in man pages 
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
 2023-06-05 15:25:24 -04:00
Daniel J Walsh 24e5784852
Rearange policy to allow other container types to be isolated 
We want to run multiple podman instances on the same machine but
with different isolated types, and allow them to use
the same MCS Labels.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
 2022-12-13 15:47:26 -05:00
Akihiro Suda 8ca4b89b82
Support BuildKit (cont.) 
PR 189 (6e07a445ca) was immaturely merged
and never worked with file write operations and DNS operations.

This commit includes the following fixes:

- Change the type of the `snapshots` directory from `container_ro_file_t` to `container_file_t`,
  as it is used as an upperdir as well as a lowerdir.

  OCI (runc) worker mode:
    lowerdir=/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/3/fs
    upperdir=/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/4/fs
    workdir=/var/lib/buildkit/runc-overlayfs/snapshots/snapshots/4/work

  containerd worker mode:
    lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs
    upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/fs
    workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work

- Add `files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd")`
  to initialize `/var/lib/containerd` for containerd mode.

- Add `filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "executor")`
  for `/var/lib/buildkit/runc-<SNAPSHOTTER>/executor`.
  This directory contains `resolv.conf` and `hosts.<RANDOM>` for OCI (runc) worker mode.

- Add `filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlayfs")`
  for `/var/lib/buildkit/containerd-<SNAPSHOTTER>`.
  This directory contains `resolv.conf` and `hosts.<RANDOM>` for containerd worker mode.
  Unlike the `runc-<SNAPSHOTTER>` directory, this directory does not contain the "executor" directory inside it.

This commit is tested with both OCI (runc) worker mode and containerd worker mode,
using a simple Dockerfile like `RUN apk add neofetch`
on Fedora 36, BuildKit v0.10.5, runc v1.1.4, and containerd v1.6.8.

Fix issue 190 .

Note that this still does not work with `RUN --mount=type=secret`, as the container processes with the `container_t` type
can't access the tmpfs mounts with the `container_runtime_tmpfs_t` on `/tmp/buildkit-secrets<RANDOM>`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2022-10-20 14:10:37 +09:00
Akihiro Suda 6e07a445ca
Support BuildKit 
Tested with BuildKit v0.10.5 on Fedora 36.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2022-10-19 18:57:39 +09:00
Daniel J Walsh ae0720d6ac
Add container_contexts file and man page to be shipped with policy 
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
 2020-03-23 15:29:10 -04:00