From aab4ef70ab704b97cbbaaf6a4ff9d6fcc1d1ae66 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 18 Mar 2024 16:23:36 +0100
Subject: [PATCH] Add --kerberos-access option
The option adds a new block inheritance, hence udica needs to require
the corresponding version of container-selinux.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
tests/test_kerberosaccess.podman.cil | 6 ++++++
tests/test_main.py | 14 ++++++++++++++
udica/__main__.py | 7 +++++++
udica/policy.py | 4 ++++
4 files changed, 31 insertions(+)
create mode 100644 tests/test_kerberosaccess.podman.cil
diff --git a/tests/test_kerberosaccess.podman.cil b/tests/test_kerberosaccess.podman.cil
new file mode 100644
index 0000000..7964a3b
--- /dev/null
+++ b/tests/test_kerberosaccess.podman.cil
@@ -0,0 +1,6 @@
+(block my_container
+ (blockinherit container)
+ (blockinherit kerberos_container)
+ (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot )))
+
+)
\ No newline at end of file
diff --git a/tests/test_main.py b/tests/test_main.py
index 0c73861..b14c331 100644
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -331,6 +331,20 @@ class TestBase(unittest.TestCase):
self.assert_templates(output, ["base_container", "tty_container"])
self.assert_policy(test_file("test_ttyaccess.podman.cil"))
+ def test_kerberosaccess_podman(self):
+ """podman run fedora"""
+ output = self.run_udica(
+ [
+ "udica",
+ "-j",
+ "tests/test_default.podman.json",
+ "--kerberos-access",
+ "my_container",
+ ]
+ )
+ self.assert_templates(output, ["base_container", "kerberos_container"])
+ self.assert_policy(test_file("test_kerberosaccess.podman.cil"))
+
def test_append_more_rules_podman(self):
"""podman run fedora"""
output = self.run_udica(
diff --git a/udica/__main__.py b/udica/__main__.py
index 801499c..0fd5ab2 100644
--- a/udica/__main__.py
+++ b/udica/__main__.py
@@ -184,6 +184,13 @@ def get_args():
dest="VirtAccess",
action="store_true",
)
+ parser.add_argument(
+ "--kerberos-access",
+ help="Allow container to use Kerberos authentication ",
+ required=False,
+ dest="KerberosAccess",
+ action="store_true",
+ )
parser.add_argument(
"-s",
"--stream-connect",
diff --git a/udica/policy.py b/udica/policy.py
index 9d1eae0..0f36386 100644
--- a/udica/policy.py
+++ b/udica/policy.py
@@ -129,6 +129,10 @@ def create_policy(
policy.write(" (blockinherit tty_container)\n")
add_template("tty_container")
+ if opts["KerberosAccess"]:
+ policy.write(" (blockinherit kerberos_container)\n")
+ add_template("kerberos_container")
+
if ports:
policy.write(" (blockinherit restricted_net_container)\n")
add_template("net_container")
--
2.43.0