vmojzis / rpms / udica

Forked from rpms/udica 3 years ago
Clone
Source Code
GIT

Files

  1.   61108edd6eb412ba713ede05bd802eea15445f5b
  2.   0005-Add-kerberos-access-option.patch
Blob Blame History Raw 
From aab4ef70ab704b97cbbaaf6a4ff9d6fcc1d1ae66 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 18 Mar 2024 16:23:36 +0100
Subject: [PATCH] Add --kerberos-access option

The option adds a new block inheritance, hence udica needs to require
the corresponding version of container-selinux.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 tests/test_kerberosaccess.podman.cil |  6 ++++++
 tests/test_main.py                   | 14 ++++++++++++++
 udica/__main__.py                    |  7 +++++++
 udica/policy.py                      |  4 ++++
 4 files changed, 31 insertions(+)
 create mode 100644 tests/test_kerberosaccess.podman.cil

diff --git a/tests/test_kerberosaccess.podman.cil b/tests/test_kerberosaccess.podman.cil
new file mode 100644
index 0000000..7964a3b
--- /dev/null
+++ b/tests/test_kerberosaccess.podman.cil
@@ -0,0 +1,6 @@
+(block my_container
+    (blockinherit container)
+    (blockinherit kerberos_container)
+    (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot ))) 
+
+)
\ No newline at end of file
diff --git a/tests/test_main.py b/tests/test_main.py
index 0c73861..b14c331 100644
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -331,6 +331,20 @@ class TestBase(unittest.TestCase):
         self.assert_templates(output, ["base_container", "tty_container"])
         self.assert_policy(test_file("test_ttyaccess.podman.cil"))
 
+    def test_kerberosaccess_podman(self):
+        """podman run fedora"""
+        output = self.run_udica(
+            [
+                "udica",
+                "-j",
+                "tests/test_default.podman.json",
+                "--kerberos-access",
+                "my_container",
+            ]
+        )
+        self.assert_templates(output, ["base_container", "kerberos_container"])
+        self.assert_policy(test_file("test_kerberosaccess.podman.cil"))
+
     def test_append_more_rules_podman(self):
         """podman run fedora"""
         output = self.run_udica(
diff --git a/udica/__main__.py b/udica/__main__.py
index 801499c..0fd5ab2 100644
--- a/udica/__main__.py
+++ b/udica/__main__.py
@@ -184,6 +184,13 @@ def get_args():
             dest="VirtAccess",
             action="store_true",
         )
+        parser.add_argument(
+            "--kerberos-access",
+            help="Allow container to use Kerberos authentication ",
+            required=False,
+            dest="KerberosAccess",
+            action="store_true",
+        )
         parser.add_argument(
             "-s",
             "--stream-connect",
diff --git a/udica/policy.py b/udica/policy.py
index 9d1eae0..0f36386 100644
--- a/udica/policy.py
+++ b/udica/policy.py
@@ -129,6 +129,10 @@ def create_policy(
         policy.write("    (blockinherit tty_container)\n")
         add_template("tty_container")
 
+    if opts["KerberosAccess"]:
+        policy.write("    (blockinherit kerberos_container)\n")
+        add_template("kerberos_container")
+
     if ports:
         policy.write("    (blockinherit restricted_net_container)\n")
         add_template("net_container")
-- 
2.43.0
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.