selinux

scripts/install.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 set -ouex pipefail
 
@@ -20,7 +20,7 @@ rpm-ostree install \
 
 rpm-ostree install "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION#v}.x86_64.rpm"
 
-if [ -x "/usr/sbin/zpool" ]; then
+if [[ -x "/usr/sbin/zpool" ]]; then
     rpm-ostree install \
         nfs-utils \
         samba

scripts/post-install.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 set -ouex pipefail
 
@@ -24,4 +24,6 @@ if [[ -x "/usr/sbin/zpool" ]]; then
     # restorecon -R /mnt/vol1
     # firewall-cmd --reload
     # semanage fcontext --add --type "public_content_rw_t" "/mnt/vol1(/.*)?"
+    semodule --install /usr/share/minio/selinux.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}
+    semodule --install /usr/share/filebrowser/selinux.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}
 fi

usr/share/containers/systemd/filebrowser.container

@@ -18,6 +18,7 @@ Environment=FB_PORT=7000
 Image=ghcr.io/auricom/filebrowser:rolling
 Volume=filebrowser.volume:/config
 Volume=/var/mnt/vol1:/var/mnt/vol1:bind
+SecurityLabelType=filebrowser
 # Traefik
 Label=traefik.enable="true"
 Label=traefik.http.routers.filebrowser.rule=Host'(`filebrowser.feisar.ovh`)'

usr/share/containers/systemd/minio.container

@@ -19,6 +19,7 @@ Environment=MINIO_UPDATE=off
 Image=quay.io/minio/minio:latest
 Exec=server /data --address :9000 --console-address :9001
 Volume=/var/mnt/vol1/apps/minio:/data:bind
+SecurityLabelType=minio
 Label=traefik.enable="true"
 Label=traefik.http.routers.s3.rule=Host'(`s3.feisar.ovh`)'
 Label=traefik.http.routers.s3.entrypoints="websecure"

usr/share/filebrowser/selinux.cli

@@ -0,0 +1,17 @@
+(block filebrowser
+    (blockinherit container)
+    (blockinherit restricted_net_container)
+    (allow process http_cache_port_t ( tcp_socket (  name_bind )))
+    (allow process container_file_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
+    (allow process container_file_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
+    (allow process container_file_t ( fifo_file ( getattr read write append ioctl lock open )))
+    (allow process container_file_t ( sock_file ( append getattr open read write )))
+    (allow process mnt_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
+    (allow process mnt_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
+    (allow process mnt_t ( fifo_file ( getattr read write append ioctl lock open )))
+    (allow process mnt_t ( sock_file ( append getattr open read write )))
+    (allow process unlabeled_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
+    (allow process unlabeled_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
+    (allow process unlabeled_t ( fifo_file ( getattr read write append ioctl lock open )))
+    (allow process unlabeled_t ( sock_file ( append getattr open read write )))
+)

usr/share/minio/selinux.cil

@@ -0,0 +1,11 @@
+(block minio
+    (blockinherit container)
+    (blockinherit restricted_net_container)
+    (allow process process (capability (chown dac_override fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_chroot)))
+
+    (allow process http_port_t (tcp_socket (name_bind)))
+    (allow process container_file_t (dir (add_name create getattr ioctl lock open read remove_name rmdir search setattr write)))
+    (allow process container_file_t (file (append create getattr ioctl lock map open read rename setattr unlink write)))
+    (allow process container_file_t (fifo_file (getattr read write append ioctl lock open)))
+    (allow process container_file_t (sock_file (append getattr open read write)))
+)