Skip to content

Commit c318a63

Browse files
Luap99Luap99
committed
add container_ro_file_t to the podman artifact store
The artifact store contains many blobs which we like to get mounted into the container. However by default selinux prevents access to these files. Now I could patch podman to change the label directly but it seems like much better to just label the entire artifact store correctly like we do with the image store. Signed-off-by: Paul Holzinger <[email protected]>
1 parent 27e970d commit c318a63

File tree

2 files changed

+4
-0
lines changed

2 files changed

+4
-0
lines changed

container.fc

+2
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@
9393
/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0)
9494

9595
HOME_DIR/\.local/share/ramalama(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
96+
HOME_DIR/\.local/share/containers/storage/artifacts(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
9697
HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
9798
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
9899
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
@@ -110,6 +111,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
110111
/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
111112
/var/lib/containers/atomic(/.*)? <<none>>
112113
/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0)
114+
/var/lib/containers/storage/artifacts(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
113115
/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
114116
/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
115117
/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)

container.if

+2
Original file line numberDiff line numberDiff line change
@@ -537,6 +537,7 @@ interface(`container_filetrans_named_content',`
537537
# workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work)
538538
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots")
539539
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init")
540+
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "artifacts")
540541
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay")
541542
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images")
542543
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers")
@@ -563,6 +564,7 @@ interface(`container_filetrans_named_content',`
563564
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci")
564565

565566
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "ramalama")
567+
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "artifacts")
566568
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay")
567569
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images")
568570
filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers")

0 commit comments

Comments
 (0)