ver4a/ostree-native-containers
1
0
Fork 0
Code Activity Actions

(ver4a) Add custom policy for ifconfig
All checks were successful
/ Build onc-kde:main (push) Successful in 10m28s
Details
/ Build onc-kde:main-nvidia (push) Successful in 8m14s
Details
/ Build onc-kde:main-ver4a (push) Successful in 7m11s
Details
/ Build onc-kde:main-nvidia-ver4a (push) Successful in 5m5s
Details

Browse source
This commit is contained in:
ver4a 2025-10-12 15:22:20 +02:00
parent 677bf5503f
commit 17a6e31805
3 changed files with 21 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
containers/Dockerfile.kde-nvidia-ver4a
View file

@ -26,6 +26,11 @@ RUN dnf5 -y autoremove
# Except for polkit-agent-helper-1, it's currently required for interactive authentication with polkit. # Except for polkit-agent-helper-1, it's currently required for interactive authentication with polkit.
RUN find /usr -mindepth 1 -type f -perm /6000 -regextype posix-extended -not -regex '^/usr/lib/polkit-1/polkit-agent-helper-1$|^/usr/s?bin/unix_chkpwd$|^/usr/s?bin/fusermount[0-9]?$' -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \; RUN find /usr -mindepth 1 -type f -perm /6000 -regextype posix-extended -not -regex '^/usr/lib/polkit-1/polkit-agent-helper-1$|^/usr/s?bin/unix_chkpwd$|^/usr/s?bin/fusermount[0-9]?$' -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \;
COPY ./selinux-policies /tmp/selinux-policies
RUN checkmodule -M -m -o /tmp/selinux-policies/ver4a-selinux.mod /tmp/selinux-policies/ver4a-selinux.te
RUN semodule_package -m /tmp/selinux-policies/ver4a-selinux.mod -o /tmp/selinux-policies/ver4a-selinux.pp
RUN semodule -i /tmp/selinux-policies/ver4a-selinux.pp
# https://github.com/ostreedev/ostree-rs-ext/issues/159 # https://github.com/ostreedev/ostree-rs-ext/issues/159
RUN ostree container commit RUN ostree container commit

5
containers/Dockerfile.kde-ver4a
View file

@ -26,6 +26,11 @@ RUN dnf5 -y autoremove
# Except for polkit-agent-helper-1, it's currently required for interactive authentication with polkit. # Except for polkit-agent-helper-1, it's currently required for interactive authentication with polkit.
RUN find /usr -mindepth 1 -type f -perm /6000 -regextype posix-extended -not -regex '^/usr/lib/polkit-1/polkit-agent-helper-1$|^/usr/s?bin/unix_chkpwd$|^/usr/s?bin/fusermount[0-9]?$' -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \; RUN find /usr -mindepth 1 -type f -perm /6000 -regextype posix-extended -not -regex '^/usr/lib/polkit-1/polkit-agent-helper-1$|^/usr/s?bin/unix_chkpwd$|^/usr/s?bin/fusermount[0-9]?$' -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \;
COPY ./selinux-policies /tmp/selinux-policies
RUN checkmodule -M -m -o /tmp/selinux-policies/ver4a-selinux.mod /tmp/selinux-policies/ver4a-selinux.te
RUN semodule_package -m /tmp/selinux-policies/ver4a-selinux.mod -o /tmp/selinux-policies/ver4a-selinux.pp
RUN semodule -i /tmp/selinux-policies/ver4a-selinux.pp
# https://github.com/ostreedev/ostree-rs-ext/issues/159 # https://github.com/ostreedev/ostree-rs-ext/issues/159
RUN ostree container commit RUN ostree container commit

11
containers/selinux-policies/ver4a-selinux.te Normal file
View file

@ -0,0 +1,11 @@
module ver4a-selinux 1.0;
require {
type ifconfig_t;
class cap_userns { net_admin sys_ptrace };
}
#============= ifconfig_t ==============
allow ifconfig_t self:cap_userns { net_admin sys_ptrace };