From e3d76ebd55b32be327ffd9160d3e018a741de89d Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 9 May 2023 16:56:42 -0400
Subject: [PATCH] Install container_u on confined SELinux user systems

Allow users to play with confined users via the container_u description.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 Makefile                   | 4 ++++
 container_u                | 8 ++++++++
 rpm/container-selinux.spec | 3 ++-
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 container_u

diff --git a/Makefile b/Makefile
index 824fc31..3c9befc 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ MODULES ?= ${TARGETS:=.pp.bz2}
 # Point SHAREDIR to DATADIR by default to not break existing users
 DATADIR ?= /usr/share
 SHAREDIR ?= ${DATADIR}
+CONFDIR ?= /etc
 
 all: ${TARGETS:=.pp.bz2}
 
@@ -30,6 +31,9 @@ install: man
 	install -D -pm 644 container_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/container_selinux.8
 	install -D -pm 644 container_contexts ${DESTDIR}${SHAREDIR}/containers/selinux/contexts
 
+install.selinux-user:
+	install -D -pm 644 container_u ${DESTDIR}${CONFDIR}/selinux/targeted/contexts/users/container_u
+
 install.udica-templates:
 	install -dp $(DESTDIR)$(SHAREDIR)/udica/templates
 	install -pm 644 udica-templates/*.cil $(DESTDIR)$(SHAREDIR)/udica/templates
diff --git a/container_u b/container_u
new file mode 100644
index 0000000..5b4ec7b
--- /dev/null
+++ b/container_u
@@ -0,0 +1,8 @@
+system_r:init_t:s0		container_user_r:container_user_t:s0
+system_r:local_login_t:s0	container_user_r:container_user_t:s0
+system_r:remote_login_t:s0	container_user_r:container_user_t:s0
+system_r:sshd_t:s0		container_user_r:container_user_t:s0
+system_r:cockpit_session_t:s0	container_user_r:container_user_t:s0
+system_r:crond_t:s0		container_user_r:container_user_t:s0 container_user_r:cronjob_t:s0
+system_r:xdm_t:s0		container_user_r:container_user_t:s0
+
diff --git a/rpm/container-selinux.spec b/rpm/container-selinux.spec
index a540400..6328adf 100644
--- a/rpm/container-selinux.spec
+++ b/rpm/container-selinux.spec
@@ -85,7 +85,7 @@ make
 %install
 # install policy modules
 %_format MODULES $x.pp.bz2
-%{__make} DATADIR=%{buildroot}%{_datadir} install install.udica-templates
+%{__make} DATADIR=%{buildroot}%{_datadir} install install.udica-templates install.selinux-user
 
 %check
 
@@ -125,6 +125,7 @@ fi
 %dir %{_datadir}/udica/templates/
 %{_datadir}/udica/templates/*
 %{_mandir}/man8/container_selinux.8.gz
+%{_sysconfdir}/selinux/targeted/contexts/users/*
 
 %triggerpostun -- container-selinux < 2:2.162.1-3
 if %{_sbindir}/selinuxenabled ; then