SELinux
Web
Autoriser un dossier à être lu par le serveur Web.
chcon -Rt httpd_sys_content_t /path/to/www
Conteneurs
Autoriser un conteneur à accéder à un dossier mappé sur l'hôte (flag Z
).
podman run --rm -v /path/to/volume:/data:Z debian
Creer une policy custom (podman):
Extraire les settings du conteneur et run udica dessus :
podman inspect <id/nom du pod> > conteneur.json
udica -j conteneur.json mon_conteneur
Editer le fichier .cil créé, et ajouter/modifier selon ce que vous voulez autoriser
Exemple pour qbittorrent :
(block qbittorrent
(blockinherit container)
(blockinherit restricted_net_container)
(allow process process ( capability ( chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot )))
# Autorise a se bind et a contacter tous les ports
(allow process port_type ( tcp_socket ( name_bind name_connect )))
(allow process port_type ( udp_socket ( name_bind )))
# Autorise a acceder aux fichier avec le contexte httpd_user_ra_content_t
(allow process httpd_user_ra_content_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
(allow process httpd_user_ra_content_t ( file ( append create getattr ioctl lock map open read rename setattr link unlink write )))
(allow process httpd_user_ra_content_t ( fifo_file ( getattr read write append ioctl lock open )))
(allow process httpd_user_ra_content_t ( sock_file ( append getattr open read write link create setattr unlink execute rename )))
(allow process default_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
(allow process default_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
(allow process default_t ( fifo_file ( getattr read write append ioctl lock open )))
(allow process default_t ( sock_file ( append getattr open read write )))
(allow process var_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
(allow process var_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
(allow process var_t ( fifo_file ( getattr read write append ioctl lock open )))
(allow process var_t ( sock_file ( append getattr open read write )))
)
importer la policy :
semodule -i qbittorrent.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}
relancer le conteneur, verifier les alertes selinux, autoriser ce qui génère les alertes, supprimer et reimporter la policy, relancer le conteneur, repeat until it works...
semodule -r qbittorent.cil # Supprime la policy
tail -f /var/log/audit/audit.log # Lookout for les AVC