From 6dc99b4576d89e5d0d445264ceb8ef16f9077db6 Mon Sep 17 00:00:00 2001 From: Karuboniru Date: Thu, 1 Feb 2024 10:45:27 +0000 Subject: [PATCH] Add selinux conf for alist - and allow caddy to connect to alist/comiclib --- cils/container_alist.cil | 10 ++++++++++ cils/container_caddy.cil | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 cils/container_alist.cil diff --git a/cils/container_alist.cil b/cils/container_alist.cil new file mode 100644 index 0000000..901cdaf --- /dev/null +++ b/cils/container_alist.cil @@ -0,0 +1,10 @@ +(block container_alist + (blockinherit container) + (blockinherit restricted_net_container) + + (allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) + + (allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) + (allow process port_type ( udp_socket ( recv_msg send_msg ))) +) diff --git a/cils/container_caddy.cil b/cils/container_caddy.cil index 68261c2..52a9821 100644 --- a/cils/container_caddy.cil +++ b/cils/container_caddy.cil @@ -5,4 +5,6 @@ (allow process var_run_t ( sock_file ( write ))) (allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) + (allow process container_alist.process ( unix_stream_socket ( connectto ))) + (allow process comiclib.process ( unix_stream_socket ( connectto ))) )