selinux-policy: expand container label entrypoints

runc may invoke host programs through configured OCI hooks, so allow transitions to container labels via `os_t` in order to label those processes correctly. Signed-off-by: Ben Cressey <[email protected]>
bottlerocket-os · Dec 23, 2021 · 45fc891 · 45fc891
1 parent dc18e95
commit 45fc891
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil
@@ -82,6 +82,11 @@
 (rangetransition runtime_t cache_t process s0-s0)
 (rangetransition runtime_t secret_t process s0-s0)
 
+; Allow transitions to container labels for programs invoked by OCI
+; hooks. There's no matching type or range transition since `runc`
+; also needs to run other OS programs.
+(allow container_s os_t (file (entrypoint)))
+
 ; Also allow entry to container domains through `docker-init`, which
 ; is mounted from the root filesystem and used as the init process.
 (allow container_s runtime_exec_t (file (entrypoint)))