Skip to content

Commit

Permalink
Add --kerberos-access option
Browse files Browse the repository at this point in the history 
The option adds a new block inheritance, hence udica needs to require
the corresponding version of container-selinux.

Signed-off-by: Vit Mojzis <[email protected]>
  • Loading branch information
@vmojzis
vmojzis committed Jul 1, 2024
1 parent edd373f commit 7b6d862
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 0 deletions.
6 changes: 6 additions & 0 deletions tests/test_kerberosaccess.podman.cil
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
(block my_container
(blockinherit container)
(blockinherit kerberos_container)
(allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot )))

)
14 changes: 14 additions & 0 deletions tests/test_main.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,20 @@ def test_ttyaccess_podman(self):
self.assert_templates(output, ["base_container", "tty_container"])
self.assert_policy(test_file("test_ttyaccess.podman.cil"))

def test_kerberosaccess_podman(self):
"""podman run fedora"""
output = self.run_udica(
[
"udica",
"-j",
"tests/test_default.podman.json",
"--kerberos-access",
"my_container",
]
)
self.assert_templates(output, ["base_container", "kerberos_container"])
self.assert_policy(test_file("test_kerberosaccess.podman.cil"))

def test_append_more_rules_podman(self):
"""podman run fedora"""
output = self.run_udica(
Expand Down
7 changes: 7 additions & 0 deletions udica/__main__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,13 @@ def get_args():
dest="VirtAccess",
action="store_true",
)
parser.add_argument(
"--kerberos-access",
help="Allow container to use Kerberos authentication ",
required=False,
dest="KerberosAccess",
action="store_true",
)
parser.add_argument(
"-s",
"--stream-connect",
Expand Down
4 changes: 4 additions & 0 deletions udica/policy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,10 @@ def create_policy(
policy.write(" (blockinherit tty_container)\n")
add_template("tty_container")

if opts["KerberosAccess"]:
policy.write(" (blockinherit kerberos_container)\n")
add_template("kerberos_container")

if ports:
policy.write(" (blockinherit restricted_net_container)\n")
add_template("net_container")
Expand Down

0 comments on commit 7b6d862

Please sign in to comment.