selinux-policy: restrict bootstrap container user data

This is a follow-up to ea35f1b, which added similar restrictions for host container user data. Signed-off-by: Ben Cressey <[email protected]>
bottlerocket-os · Apr 16, 2021 · f976318 · f976318
1 parent 64e6797
commit f976318
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/packages/os/bootstrap-containers-tmpfiles.conf b/packages/os/bootstrap-containers-tmpfiles.conf
@@ -1,3 +1,3 @@
 d /etc/bootstrap-containers 0750 root root -
 d /local/bootstrap-containers 0700 root root -
-T /local/bootstrap-containers - - - - security.selinux=system_u:object_r:state_t:s0
+T /local/bootstrap-containers - - - - security.selinux=system_u:object_r:secret_t:s0
diff --git a/packages/selinux-policy/fs.cil b/packages/selinux-policy/fs.cil
@@ -64,6 +64,8 @@
 ; Label local state directories.
 (filecon "/local/host-containers" any secret)
 (filecon "/local/host-containers/.*" any secret)
+(filecon "/local/bootstrap-containers" any secret)
+(filecon "/local/bootstrap-containers/.*" any secret)
 (filecon "/var/lib/chrony" any measure)
 (filecon "/var/lib/chrony/.*" any measure)
 (filecon "/var/lib/systemd" any state)

diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil
@@ -101,9 +101,10 @@
 ; ... docker's image layers
 (typetransition runtime_t local_t dir "overlay2" cache_t)
 
-; If a system process creates a directory for host container state, it
-; receives the "secret_t" label.
+; If a system process creates a directory for host or bootstrap container
+; state, it receives the "secret_t" label.
 (typetransition system_t local_t dir "host-containers" secret_t)
+(typetransition system_t local_t dir "bootstrap-containers" secret_t)
 
 ; The socket for the API server gets the "api_socket_t" label.
 (typetransition api_t any_t sock_file "api.sock" api_socket_t)