From ba5598429cb8fa388d634794b94cb381675f251a Mon Sep 17 00:00:00 2001 From: Ian Pilcher Date: Fri, 5 Dec 2025 14:57:11 -0600 Subject: [PATCH 1/3] Allow containers to access shared public content Add 2 new booleans to enable access: * container_read_public_content allows read-only access to files labeled as public_content_t or public_content_rw_t. * container_manage_public_content allows full read, write, create, etc., access to files labeled as public_content_rw_t. Fixes #406 Signed-off-by: Ian Pilcher --- container.te | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/container.te b/container.te index 5dd3d02..a47929c 100644 --- a/container.te +++ b/container.te @@ -83,6 +83,22 @@ gen_tunable(container_use_cephfs, false) ## gen_tunable(container_use_ecryptfs, false) +## +##

+## Allow containers to read shared public files +## (public_content_t & public_content_rw_t) +##

+## +gen_tunable(container_read_public_content, false) + +## +##

+## Allow containers to read and write shared public +## files (public_content_rw_t) +##

+## +gen_tunable(container_manage_public_content, false) + attribute container_runtime_domain; container_runtime_domain_template(container_runtime) typealias container_runtime_t alias docker_t; @@ -1452,6 +1468,14 @@ tunable_policy(`virt_sandbox_use_sys_admin',` allow container_init_t self:cap_userns sys_admin; ') +tunable_policy(`container_read_public_content',` + miscfiles_read_public_files(container_domain) +') + +tunable_policy(`container_manage_public_content',` + miscfiles_manage_public_files(container_domain) +') + allow container_init_domain self:netlink_audit_socket nlmsg_relay; # container_engine_t is for running a container engine within a container From 3e8e2302f6db60cdcce567bc1459622ede556379 Mon Sep 17 00:00:00 2001 From: Ian Pilcher Date: Fri, 5 Dec 2025 15:02:43 -0600 Subject: [PATCH 2/3] Add new booleans to container_selinux(8) man page Add descriptions of the container_read_public_content and container_manage_public_content booleans. Signed-off-by: Ian Pilcher --- container_selinux.8 | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/container_selinux.8 b/container_selinux.8 index 5f9ee64..6e8a6cc 100644 --- a/container_selinux.8 +++ b/container_selinux.8 @@ -87,6 +87,22 @@ If you want to allow sandbox containers to use sys_admin system calls, for examp .EE +.PP +If you want to allow containers to read shared public files (public_content_t and public_content_rw_t), set the container_read_public_content boolean. Disabled by default. + +.EX +.B setsebool -P container_read_public_content 1 + +.EE + +.PP +If you want to allow containers to read and write shared public files (public_content_rw_t), set the container_manage_public_content boolean. Disabled by default. + +.EX +.B set sebool -P container_manage_public_content 1 + +.EE + .SH PORT TYPES SELinux defines port types to represent TCP and UDP ports. .PP @@ -461,4 +477,4 @@ This manual page was auto-generated using .B "sepolicy manpage". .SH "SEE ALSO" -selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8) \ No newline at end of file +selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8) From 35d9a0721ba3ec0ab5e1fa978373ce4fe0a31407 Mon Sep 17 00:00:00 2001 From: Ian Pilcher Date: Fri, 5 Dec 2025 15:14:18 -0600 Subject: [PATCH 3/3] Fix typo in container_selinux(8) man page Signed-off-by: Ian Pilcher --- container_selinux.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container_selinux.8 b/container_selinux.8 index 6e8a6cc..d8807d8 100644 --- a/container_selinux.8 +++ b/container_selinux.8 @@ -99,7 +99,7 @@ If you want to allow containers to read shared public files (public_content_t an If you want to allow containers to read and write shared public files (public_content_rw_t), set the container_manage_public_content boolean. Disabled by default. .EX -.B set sebool -P container_manage_public_content 1 +.B setsebool -P container_manage_public_content 1 .EE