Install container_u on confined SELinux user systems

Allow users to play with confined users via the container_u description.

Signed-off-by: Daniel J Walsh <[email protected]>

Makefile

@@ -4,6 +4,7 @@ MODULES ?= ${TARGETS:=.pp.bz2}
 # Point SHAREDIR to DATADIR by default to not break existing users
 DATADIR ?= /usr/share
 SHAREDIR ?= ${DATADIR}
+CONFDIR ?= /etc
 
 all: ${TARGETS:=.pp.bz2}
 
@@ -30,6 +31,9 @@ install: man
 	install -D -pm 644 container_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/container_selinux.8
 	install -D -pm 644 container_contexts ${DESTDIR}${SHAREDIR}/containers/selinux/contexts
 
+install.selinux-user:
+	install -D -pm 644 container_u ${DESTDIR}${CONFDIR}/selinux/targeted/contexts/users/container_u
+
 install.udica-templates:
 	install -dp $(DESTDIR)$(SHAREDIR)/udica/templates
 	install -pm 644 udica-templates/*.cil $(DESTDIR)$(SHAREDIR)/udica/templates

container_u

@@ -0,0 +1,8 @@
+system_r:init_t:s0		container_user_r:container_user_t:s0
+system_r:local_login_t:s0	container_user_r:container_user_t:s0
+system_r:remote_login_t:s0	container_user_r:container_user_t:s0
+system_r:sshd_t:s0		container_user_r:container_user_t:s0
+system_r:cockpit_session_t:s0	container_user_r:container_user_t:s0
+system_r:crond_t:s0		container_user_r:container_user_t:s0 container_user_r:cronjob_t:s0
+system_r:xdm_t:s0		container_user_r:container_user_t:s0
+

rpm/container-selinux.spec

@@ -85,7 +85,7 @@ make
 %install
 # install policy modules
 %_format MODULES $x.pp.bz2
-%{__make} DATADIR=%{buildroot}%{_datadir} install install.udica-templates
+%{__make} DATADIR=%{buildroot}%{_datadir} install install.udica-templates install.selinux-user
 
 %check
 
@@ -125,6 +125,7 @@ fi
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
 %{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/*
 
 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then