-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Marc Schiffbauer <[email protected]>
- Loading branch information
Showing
3 changed files
with
446 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| /usr/bin/incus -- gen_context(system_u:object_r:incusc_exec_t,s0) | ||
| /usr/bin/incusd -- gen_context(system_u:object_r:incusd_exec_t,s0) | ||
| /usr/bin/incus-.* gen_context(system_u:object_r:container_engine_exec_t,s0) | ||
| /usr/libexec/incus(/.*)? gen_context(system_u:object_r:container_engine_exec_t,s0) | ||
| /usr/lib/systemd/system/incus.* gen_context(system_u:object_r:container_engine_unit_t,s0) | ||
| /var/cache/incus(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) | ||
| /var/lib/incus(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) | ||
| /var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) | ||
| /var/log/incus(/.*)? gen_context(system_u:object_r:container_log_t,s0) | ||
| /run/incus(/.*)? gen_context(system_u:object_r:container_runtime_t,s0) | ||
|
|
||
| # custom for init scripts: | ||
| /etc/rc\.d/init\.d/incus gen_context(system_u:object_r:initrc_exec_t,s0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,237 @@ | ||
| ## <summary>Policy for incus</summary> | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute incus CLI in the incus CLI domain. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`incus_domtrans_cli',` | ||
| gen_require(` | ||
| type incusc_t, incusc_exec_t; | ||
| ') | ||
|
|
||
| corecmd_search_bin($1) | ||
| domtrans_pattern($1, incusc_exec_t, incusc_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute incus CLI in the incus CLI | ||
| ## domain, and allow the specified role | ||
| ## the incus CLI domain. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="role"> | ||
| ## <summary> | ||
| ## The role to be allowed the incus domain. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`incus_run_cli',` | ||
| gen_require(` | ||
| type incusc_t; | ||
| ') | ||
|
|
||
| role $2 types incusc_t; | ||
|
|
||
| incus_domtrans_cli($1) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute incus in the incus user domain. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`incus_domtrans_user_daemon',` | ||
| gen_require(` | ||
| type incusd_user_t, incusd_exec_t; | ||
| ') | ||
|
|
||
| corecmd_search_bin($1) | ||
| domtrans_pattern($1, incusd_exec_t, incusd_user_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute incus in the incus user | ||
| ## domain, and allow the specified | ||
| ## role the incus user domain. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="role"> | ||
| ## <summary> | ||
| ## The role to be allowed the incus domain. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`incus_run_user_daemon',` | ||
| gen_require(` | ||
| type incusd_user_t; | ||
| ') | ||
|
|
||
| role $2 types incusd_user_t; | ||
|
|
||
| incus_domtrans_user_daemon($1) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute incus CLI in the incus CLI | ||
| ## user domain. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`incus_domtrans_user_cli',` | ||
| gen_require(` | ||
| type incusc_user_t, incusc_exec_t; | ||
| ') | ||
|
|
||
| corecmd_search_bin($1) | ||
| domtrans_pattern($1, incusc_exec_t, incusc_user_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute incus CLI in the incus CLI | ||
| ## user domain, and allow the specified | ||
| ## role the incus CLI user domain. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="role"> | ||
| ## <summary> | ||
| ## The role to be allowed the incus | ||
| ## user domain. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`incus_run_user_cli',` | ||
| gen_require(` | ||
| type incusc_user_t; | ||
| ') | ||
|
|
||
| role $2 types incusc_user_t; | ||
|
|
||
| incus_domtrans_user_cli($1) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Role access for rootless incus. | ||
| ## </summary> | ||
| ## <param name="role_prefix"> | ||
| ## <summary> | ||
| ## The prefix of the user role (e.g., user | ||
| ## is the prefix for user_r). | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="user_domain"> | ||
| ## <summary> | ||
| ## User domain for the role. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="user_exec_domain"> | ||
| ## <summary> | ||
| ## User exec domain for execute and transition access. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="role"> | ||
| ## <summary> | ||
| ## Role allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <rolecap/> | ||
| # | ||
| template(`incus_user_role',` | ||
| gen_require(` | ||
| type incusd_user_t; | ||
| type incusd_exec_t; | ||
| ') | ||
|
|
||
| role $4 types incusd_user_t; | ||
|
|
||
| incus_run_user_daemon($3, $4) | ||
| incus_run_user_cli($3, $4) | ||
|
|
||
| ifdef(`init_systemd',` | ||
| systemd_user_daemon_domain($1, incusd_exec_t, incusd_user_t) | ||
| systemd_user_send_systemd_notify($1, incusd_user_t) | ||
| ') | ||
|
|
||
| optional_policy(` | ||
| dbus_spec_session_bus_client($1, incusd_user_t) | ||
| ') | ||
|
|
||
| optional_policy(` | ||
| rootlesskit_role($1, $2, $3, $4) | ||
| ') | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Send signals to the rootless incus daemon. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`incus_signal_user_daemon',` | ||
| gen_require(` | ||
| type incusd_user_t; | ||
| ') | ||
|
|
||
| allow $1 incusd_user_t:process signal; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## All of the rules required to | ||
| ## administrate a incus | ||
| ## environment. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="role"> | ||
| ## <summary> | ||
| ## Role allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <rolecap/> | ||
| # | ||
| interface(`incus_admin',` | ||
| incus_run_cli($1, $2) | ||
|
|
||
| optional_policy(` | ||
| rootlesskit_run($1, $2) | ||
| ') | ||
| ') |
Oops, something went wrong.