From 29de89fc1bc81449acb09099202339eb8bf75247 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Mon, 13 Dec 2021 23:01:12 +0000 Subject: [PATCH] release: label overlayfs state directories Using `state_t` as the label makes the directories read-only for all unprivileged containers, even if they have access via a host mount. Signed-off-by: Ben Cressey --- packages/release/prepare-local.service | 7 +++++++ packages/selinux-policy/fs.cil | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/packages/release/prepare-local.service b/packages/release/prepare-local.service index 167873d9c50..bec31ad6bbe 100644 --- a/packages/release/prepare-local.service +++ b/packages/release/prepare-local.service @@ -21,6 +21,10 @@ ExecStart=/usr/bin/mkdir -p \ ${LOCAL_DIR}/var/lib/kernel-devel/.overlay/work \ ${LOCAL_DIR}/var/lib/kernel-modules/.overlay/upper \ ${LOCAL_DIR}/var/lib/kernel-modules/.overlay/work +ExecStart=/usr/sbin/setfiles -r ${LOCAL_DIR} \ + -F /etc/selinux/fortified/contexts/files/file_contexts \ + ${LOCAL_DIR}/var/lib/kernel-devel \ + ${LOCAL_DIR}/var/lib/kernel-modules # Create the directories we need to set up a read-write overlayfs for any CNI # plugin binaries. @@ -31,6 +35,9 @@ ExecStart=/usr/bin/mkdir -p \ ${LOCAL_DIR}/opt/cni/bin \ ${LOCAL_DIR}/var/lib/cni-plugins/.overlay/upper \ ${LOCAL_DIR}/var/lib/cni-plugins/.overlay/work +ExecStart=/usr/sbin/setfiles -r ${LOCAL_DIR} \ + -F /etc/selinux/fortified/contexts/files/file_contexts \ + ${LOCAL_DIR}/var/lib/cni-plugins RemainAfterExit=true StandardError=journal+console diff --git a/packages/selinux-policy/fs.cil b/packages/selinux-policy/fs.cil index 457aace294a..844ef56094e 100644 --- a/packages/selinux-policy/fs.cil +++ b/packages/selinux-policy/fs.cil @@ -80,6 +80,14 @@ (filecon "/var/lib/netdog" any lease) (filecon "/var/lib/netdog/.*" any lease) +; Label local directories for overlayfs mounts. +(filecon "/var/lib/cni-plugins" any state) +(filecon "/var/lib/cni-plugins/.*" any state) +(filecon "/var/lib/kernel-devel" any state) +(filecon "/var/lib/kernel-devel/.*" any state) +(filecon "/var/lib/kernel-modules" any state) +(filecon "/var/lib/kernel-modules/.*" any state) + ; Label kernel filesystem mounts. (filecon "/proc" any proc) (filecon "/proc/.*" any ())