diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 541eb8a5a9..77bdc5c021 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -130,7 +130,6 @@ interface(`container_user_engine',`
#
template(`container_base_role',`
gen_require(`
- type container_file_t, container_ro_file_t;
type container_config_t;
')
@@ -143,19 +142,8 @@ template(`container_base_role',`
files_search_etc($2)
read_files_pattern($2, container_config_t, container_config_t)
- allow $2 container_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_file_t:file { manage_file_perms relabel_file_perms };
- allow $2 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- allow $2 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
- allow $2 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-
- allow $2 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_ro_file_t:file { manage_file_perms relabel_file_perms };
- allow $2 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- allow $2 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
- allow $2 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+ container_admin_all_files($2)
+ container_admin_all_ro_files($2)
')
########################################
@@ -230,10 +218,6 @@ template(`container_user_role',`
gen_require(`
attribute container_user_domain;
attribute container_engine_user_domain;
- type container_file_t, container_ro_file_t;
- type container_user_runtime_t;
- type container_cache_home_t, container_conf_home_t;
- type container_data_home_t;
')
role $4 types container_user_domain;
@@ -245,34 +229,8 @@ template(`container_user_role',`
allow $3 container_user_domain:process { ptrace signal_perms };
ps_process_pattern($3, container_user_domain)
- allow $2 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
- allow $2 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
- allow $2 container_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_cache_home_t:file { manage_file_perms relabel_file_perms };
- xdg_cache_filetrans($2, container_cache_home_t, dir, "containers")
-
- allow $2 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_conf_home_t:file { manage_file_perms relabel_file_perms };
- xdg_config_filetrans($2, container_conf_home_t, dir, "containers")
-
- allow $2 container_data_home_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_data_home_t:file { manage_file_perms relabel_file_perms };
- allow $2 container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
- allow $2 container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 container_data_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
- allow $2 container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
- allow $2 container_data_home_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
- xdg_data_filetrans($2, container_data_home_t, dir, "containers")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay-images")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay-layers")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2-images")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
- filetrans_pattern($2, container_data_home_t, container_file_t, dir, "volumes")
+ container_admin_all_home_content($2)
+ container_admin_all_user_runtime_content($2)
optional_policy(`
systemd_read_user_manager_state($1, container_engine_user_domain)
@@ -293,6 +251,60 @@ template(`container_user_role',`
')
')
+########################################
+##
+## Unconfined role access for containers.
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+##
+## User domain for the role.
+##
+##
+##
+##
+## User exec domain for execute and transition access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+template(`container_unconfined_role',`
+ gen_require(`
+ attribute container_domain;
+ type container_config_t;
+ ')
+
+ role $4 types container_domain;
+
+ allow $3 container_domain:process transition;
+ allow $3 container_domain:process2 { nnp_transition nosuid_transition };
+ allow container_domain $3:fd use;
+ allow container_domain $3:unix_stream_socket rw_stream_socket_perms;
+
+ allow $3 self:cap_userns { kill sys_ptrace };
+
+ allow $3 container_domain:process { ptrace signal_perms };
+ ps_process_pattern($3, container_domain)
+
+ files_search_etc($2)
+ read_files_pattern($2, container_config_t, container_config_t)
+
+ container_admin_all_files($2)
+ container_admin_all_ro_files($2)
+
+ container_admin_all_home_content($2)
+ container_admin_all_user_runtime_content($2)
+')
+
########################################
##
## Execute generic container engines in the
@@ -1079,6 +1091,119 @@ interface(`container_manage_home_data_sock_files',`
manage_sock_files_pattern($1, container_data_home_t, container_data_home_t)
')
+########################################
+##
+## Administrate all container files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_admin_all_files',`
+ gen_require(`
+ type container_file_t;
+ ')
+
+ allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1 container_file_t:file { manage_file_perms relabel_file_perms };
+ allow $1 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $1 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $1 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+ allow $1 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+')
+
+########################################
+##
+## Administrate all container read-only files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_admin_all_ro_files',`
+ gen_require(`
+ type container_ro_file_t;
+ ')
+
+ allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1 container_ro_file_t:file { manage_file_perms relabel_file_perms };
+ allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $1 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $1 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+ allow $1 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+')
+
+########################################
+##
+## All of the rules necessary for a user
+## to manage user container runtime data
+## in their user runtime directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_admin_all_user_runtime_content',`
+ gen_require(`
+ type container_user_runtime_t;
+ ')
+
+ allow $1 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
+ allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+')
+
+########################################
+##
+## All of the rules necessary for a user
+## to manage container data in their home
+## directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_admin_all_home_content',`
+ gen_require(`
+ type container_file_t, container_ro_file_t;
+ type container_cache_home_t, container_conf_home_t;
+ type container_data_home_t;
+ ')
+
+ allow $1 container_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1 container_cache_home_t:file { manage_file_perms relabel_file_perms };
+ xdg_cache_filetrans($1, container_cache_home_t, dir, "containers")
+
+ allow $1 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1 container_conf_home_t:file { manage_file_perms relabel_file_perms };
+ xdg_config_filetrans($1, container_conf_home_t, dir, "containers")
+
+ allow $1 container_data_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1 container_data_home_t:file { manage_file_perms relabel_file_perms };
+ allow $1 container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+ allow $1 container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+ allow $1 container_data_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ allow $1 container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+ allow $1 container_data_home_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+ xdg_data_filetrans($1, container_data_home_t, dir, "containers")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay-images")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay-layers")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2-images")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
+ filetrans_pattern($1, container_data_home_t, container_file_t, dir, "volumes")
+')
+
########################################
##
## Allow the specified domain to