| From 641a7f0c61ff42ea55ad7152e7f874ea5d680a2d Mon Sep 17 00:00:00 2001 |
| From: Dan Walsh <dwalsh@redhat.com> |
| Date: Wed, 9 Mar 2016 09:29:25 -0500 |
| Subject: [PATCH] /dev/console must be labeled with SELinux label |
| |
| If the user specifies an selinux_apifs_context all content created in |
| the container including /dev/console should use this label. |
| |
| Currently when this uses the default label it gets labeled user_devpts_t, |
| which would require us to write a policy allowing container processes to |
| manage user_devpts_t. This means that an escaped process would be allowed |
| to attack all users terminals as well as other container terminals. Changing |
| the label to match the apifs_context, means the processes would only be allowed |
| to manage their specific tty. |
| |
| This change fixes a problem preventing RKT containers from working with systemd-nspawn. |
| |
| (cherry picked from commit 68b020494d1ff085281061413d9236b5865ef238) |
| |
| src/nspawn/nspawn.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c |
| index ef348c335b..8c06f6ef75 100644 |
| |
| |
| @@ -87,6 +87,7 @@ |
| #ifdef HAVE_SECCOMP |
| #include "seccomp-util.h" |
| #endif |
| +#include "selinux-util.h" |
| #include "signal-util.h" |
| #include "socket-util.h" |
| #include "stat-util.h" |
| @@ -3286,6 +3287,12 @@ int main(int argc, char *argv[]) { |
| goto finish; |
| } |
| |
| + if (arg_selinux_apifs_context) { |
| + r = mac_selinux_apply(console, arg_selinux_apifs_context); |
| + if (r < 0) |
| + goto finish; |
| + } |
| + |
| if (unlockpt(master) < 0) { |
| r = log_error_errno(errno, "Failed to unlock tty: %m"); |
| goto finish; |