| |
@@ -0,0 +1,91 @@
|
| |
+ From aab4ef70ab704b97cbbaaf6a4ff9d6fcc1d1ae66 Mon Sep 17 00:00:00 2001
|
| |
+ From: Vit Mojzis <vmojzis@redhat.com>
|
| |
+ Date: Mon, 18 Mar 2024 16:23:36 +0100
|
| |
+ Subject: [PATCH] Add --kerberos-access option
|
| |
+
|
| |
+ The option adds a new block inheritance, hence udica needs to require
|
| |
+ the corresponding version of container-selinux.
|
| |
+
|
| |
+ Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
| |
+ ---
|
| |
+ tests/test_kerberosaccess.podman.cil | 6 ++++++
|
| |
+ tests/test_main.py | 14 ++++++++++++++
|
| |
+ udica/__main__.py | 7 +++++++
|
| |
+ udica/policy.py | 4 ++++
|
| |
+ 4 files changed, 31 insertions(+)
|
| |
+ create mode 100644 tests/test_kerberosaccess.podman.cil
|
| |
+
|
| |
+ diff --git a/tests/test_kerberosaccess.podman.cil b/tests/test_kerberosaccess.podman.cil
|
| |
+ new file mode 100644
|
| |
+ index 0000000..7964a3b
|
| |
+ --- /dev/null
|
| |
+ +++ b/tests/test_kerberosaccess.podman.cil
|
| |
+ @@ -0,0 +1,6 @@
|
| |
+ +(block my_container
|
| |
+ + (blockinherit container)
|
| |
+ + (blockinherit kerberos_container)
|
| |
+ + (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot )))
|
| |
+ +
|
| |
+ +)
|
| |
+ \ No newline at end of file
|
| |
+ diff --git a/tests/test_main.py b/tests/test_main.py
|
| |
+ index 0c73861..b14c331 100644
|
| |
+ --- a/tests/test_main.py
|
| |
+ +++ b/tests/test_main.py
|
| |
+ @@ -331,6 +331,20 @@ class TestBase(unittest.TestCase):
|
| |
+ self.assert_templates(output, ["base_container", "tty_container"])
|
| |
+ self.assert_policy(test_file("test_ttyaccess.podman.cil"))
|
| |
+
|
| |
+ + def test_kerberosaccess_podman(self):
|
| |
+ + """podman run fedora"""
|
| |
+ + output = self.run_udica(
|
| |
+ + [
|
| |
+ + "udica",
|
| |
+ + "-j",
|
| |
+ + "tests/test_default.podman.json",
|
| |
+ + "--kerberos-access",
|
| |
+ + "my_container",
|
| |
+ + ]
|
| |
+ + )
|
| |
+ + self.assert_templates(output, ["base_container", "kerberos_container"])
|
| |
+ + self.assert_policy(test_file("test_kerberosaccess.podman.cil"))
|
| |
+ +
|
| |
+ def test_append_more_rules_podman(self):
|
| |
+ """podman run fedora"""
|
| |
+ output = self.run_udica(
|
| |
+ diff --git a/udica/__main__.py b/udica/__main__.py
|
| |
+ index 801499c..0fd5ab2 100644
|
| |
+ --- a/udica/__main__.py
|
| |
+ +++ b/udica/__main__.py
|
| |
+ @@ -184,6 +184,13 @@ def get_args():
|
| |
+ dest="VirtAccess",
|
| |
+ action="store_true",
|
| |
+ )
|
| |
+ + parser.add_argument(
|
| |
+ + "--kerberos-access",
|
| |
+ + help="Allow container to use Kerberos authentication ",
|
| |
+ + required=False,
|
| |
+ + dest="KerberosAccess",
|
| |
+ + action="store_true",
|
| |
+ + )
|
| |
+ parser.add_argument(
|
| |
+ "-s",
|
| |
+ "--stream-connect",
|
| |
+ diff --git a/udica/policy.py b/udica/policy.py
|
| |
+ index 9d1eae0..0f36386 100644
|
| |
+ --- a/udica/policy.py
|
| |
+ +++ b/udica/policy.py
|
| |
+ @@ -129,6 +129,10 @@ def create_policy(
|
| |
+ policy.write(" (blockinherit tty_container)\n")
|
| |
+ add_template("tty_container")
|
| |
+
|
| |
+ + if opts["KerberosAccess"]:
|
| |
+ + policy.write(" (blockinherit kerberos_container)\n")
|
| |
+ + add_template("kerberos_container")
|
| |
+ +
|
| |
+ if ports:
|
| |
+ policy.write(" (blockinherit restricted_net_container)\n")
|
| |
+ add_template("net_container")
|
| |
+ --
|
| |
+ 2.43.0
|
| |
+
|
| |
TODO: container-selinux dependency needs to be set after the new template is shipped