container, podman: various fixes

Various fixes for containers and podman, mostly centered around quadlet
and netavark updates.

One particular change which may stand out is allowing podman_conmon_t to
IOCTL container_file_t files. I wish I could know why this was hit, but
I don't. The relevant AVC is:

type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762
type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-command-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7"
type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null)
type=AVC msg=audit(1704734027.100:15951872): avc:  denied  { ioctl } for  pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

3 files changed, 70 insertions, 2 deletions

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 268ebec46..009fffc4a 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -878,6 +878,24 @@ interface(`container_signal_all_containers',`
 
 ########################################
 ## <summary>
+##	Send signals to a system container.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_signal_system_containers',`
+	gen_require(`
+		attribute container_system_domain;
+	')
+
+	allow $1 container_system_domain:process signal;
+')
+
+########################################
+## <summary>
 ##	Create objects in /dev with an automatic
 ##	transition to the container device type.
 ## </summary>
@@ -1326,6 +1344,24 @@ interface(`container_manage_files',`
 
 ########################################
 ## <summary>
+##	IOCTL container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_ioctl_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:file ioctl;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to relabel
 ##	container file directories.
 ## </summary>
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index d929bb253..78f8fc086 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -39,6 +39,12 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
 
 allow podman_t podman_conmon_t:process setsched;
 
+kernel_rw_vm_overcommit_sysctl(podman_t)
+
+init_use_fds(podman_t)
+init_setattr_stream_sockets(podman_t)
+init_stream_connect(podman_t)
+
 # for --network=host
 selinux_getattr_dirs(podman_t)
 selinux_mounton_dirs(podman_t)
@@ -67,8 +73,10 @@ podman_spec_rangetrans_conmon(podman_t, s0)
 ifdef(`init_systemd',`
 	init_dbus_chat(podman_t)
 	init_setsched(podman_t)
+	init_get_system_status(podman_t)
 	init_start_system(podman_t)
 	init_stop_system(podman_t)
+	init_reload(podman_t)
 
 	# containers get created as systemd transient units
 	init_get_transient_units_status(podman_t)
@@ -114,7 +122,7 @@ kernel_read_sysctl(podman_user_t)
 
 logging_send_syslog_msg(podman_user_t)
 
-init_write_runtime_socket(podman_user_t)
+init_stream_connect(podman_user_t)
 
 mount_exec(podman_user_t)
 
@@ -191,7 +199,7 @@ ifdef(`init_systemd',`
 # podman conmon local policy
 #
 
-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource };
 dontaudit podman_conmon_t self:capability net_admin;
 
 podman_domtrans(podman_conmon_t)
@@ -199,8 +207,12 @@ podman_domtrans(podman_conmon_t)
 init_rw_inherited_stream_socket(podman_conmon_t)
 init_use_fds(podman_conmon_t)
 
+container_signal_system_containers(podman_conmon_t)
+
 container_read_system_container_state(podman_conmon_t)
 
+container_ioctl_files(podman_conmon_t)
+
 container_manage_runtime_files(podman_conmon_t)
 container_manage_runtime_fifo_files(podman_conmon_t)
 container_manage_runtime_sock_files(podman_conmon_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 24be1a7a7..5d720ffc3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1165,6 +1165,26 @@ interface(`init_rw_stream_sockets',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to set the
+##	attributes of init's unix domain stream
+##	sockets.
+##	</summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_setattr_stream_sockets',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket setattr;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search init keys.
 ## </summary>
 ## <param name="domain">