various: fixes for kubernetes

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-06-17 13:14:49 -04:00
parent 1512723b36
commit cd929e846b
10 changed files with 549 additions and 139 deletions

View File

@ -815,26 +815,6 @@ interface(`container_signal_all_containers',`
allow $1 container_domain:process signal_perms;
')
########################################
## <summary>
## Allow the specified domain to
## get the process group ID of all
## containers.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`container_getpgid_all_containers',`
gen_require(`
attribute container_domain;
')
allow $1 container_domain:process getpgid;
')
########################################
## <summary>
## Set the attributes of container ptys.
@ -902,7 +882,7 @@ interface(`container_mountpoint',`
## </summary>
## </param>
#
interface(`container_list_plugins',`
interface(`container_list_plugin_dirs',`
gen_require(`
type container_plugin_t;
')
@ -910,6 +890,26 @@ interface(`container_list_plugins',`
allow $1 container_plugin_t:dir list_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to
## add a watch on container plugin
## directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_watch_plugin_dirs',`
gen_require(`
type container_plugin_t;
')
allow $1 container_plugin_t:dir watch;
')
########################################
## <summary>
## Allow the specified domain to
@ -945,7 +945,7 @@ interface(`container_exec_plugins',`
type container_plugin_t;
')
container_list_plugins($1)
container_list_plugin_dirs($1)
can_exec($1, container_plugin_t)
')
@ -1026,25 +1026,6 @@ interface(`container_rw_config_files',`
rw_files_pattern($1, container_config_t, container_config_t)
')
########################################
## <summary>
## Allow the specified domain to
## write container config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_write_config_files',`
gen_require(`
type container_config_t;
')
write_files_pattern($1, container_config_t, container_config_t)
')
########################################
## <summary>
## Allow the specified domain to
@ -1934,6 +1915,25 @@ interface(`container_manage_var_lib_files',`
manage_files_pattern($1, container_var_lib_t, container_var_lib_t)
')
########################################
## <summary>
## Allow the specified domain to memory
## map container files in /var/lib.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_map_var_lib_files',`
gen_require(`
type container_var_lib_t;
')
allow $1 container_var_lib_t:file map;
')
########################################
## <summary>
## Allow the specified domain to manage
@ -2021,6 +2021,36 @@ interface(`container_var_lib_filetrans',`
files_var_lib_filetrans($1, container_var_lib_t, $2, $3)
')
########################################
## <summary>
## Allow the specified domain to create
## objects in /var/lib with an automatic
## transition to the container file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`container_var_lib_filetrans_file',`
gen_require(`
type container_file_t;
')
files_var_lib_filetrans($1, container_file_t, $2, $3)
')
########################################
## <summary>
## Allow the specified domain to create
@ -2239,6 +2269,25 @@ interface(`container_manage_log_files',`
manage_files_pattern($1, container_log_t, container_log_t)
')
########################################
## <summary>
## Allow the specified domain to watch
## container log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_watch_log_files',`
gen_require(`
type container_log_t;
')
allow $1 container_log_t:file watch;
')
########################################
## <summary>
## Allow the specified domain to create

View File

@ -86,6 +86,9 @@ roleattribute system_r container_roles;
container_domain_template(container)
typealias container_t alias svirt_lxc_net_t;
typeattribute container_t container_system_domain, container_user_domain, container_net_domain;
optional_policy(`
kubernetes_container(container_t)
')
container_engine_domain_template(container_engine)
typeattribute container_engine_t container_engine_system_domain;
@ -100,6 +103,9 @@ mls_trusted_object(container_engine_t)
type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain;
domain_type(spc_t)
role system_r types spc_t;
optional_policy(`
kubernetes_container(spc_t)
')
type spc_user_t, container_domain, container_net_domain, container_user_domain, privileged_container_domain;
domain_type(spc_user_t)
@ -153,6 +159,9 @@ files_mountpoint(container_file_t)
files_associate_rootfs(container_file_t)
term_pty(container_file_t)
container_mountpoint(container_file_t)
optional_policy(`
kubernetes_mountpoint(container_file_t)
')
type container_ro_file_t;
files_mountpoint(container_ro_file_t)
@ -204,6 +213,7 @@ manage_fifo_files_pattern(container_domain, container_file_t, container_file_t)
rw_chr_files_pattern(container_domain, container_file_t, container_file_t)
rw_blk_files_pattern(container_domain, container_file_t, container_file_t)
allow container_domain container_file_t:dir_file_class_set watch;
allow container_domain container_file_t:file { entrypoint map };
allow container_domain container_ro_file_t:blk_file read_blk_file_perms;
allow container_domain container_ro_file_t:dir list_dir_perms;
@ -283,10 +293,10 @@ tunable_policy(`container_read_public_content',`
')
tunable_policy(`container_use_ecryptfs',`
fs_manage_ecryptfs_dirs(container_domain)
fs_manage_ecryptfs_files(container_domain)
fs_manage_ecryptfs_named_sockets(container_domain)
fs_list_ecryptfs(container_domain)
fs_manage_ecryptfs_dirs(container_domain)
fs_manage_ecryptfs_files(container_domain)
fs_manage_ecryptfs_named_sockets(container_domain)
fs_list_ecryptfs(container_domain)
')
tunable_policy(`container_use_nfs',`
@ -307,10 +317,10 @@ tunable_policy(`container_use_samba',`
optional_policy(`
kubernetes_list_tmpfs(container_domain)
kubernetes_watch_tmpfs_dirs(container_domain)
kubernetes_watch_tmpfs_files(container_domain)
kubernetes_read_tmpfs_files(container_domain)
kubernetes_read_tmpfs_symlinks(container_domain)
kubernetes_watch_tmpfs_dirs(container_domain)
kubernetes_watch_tmpfs_files(container_domain)
')
optional_policy(`
@ -382,7 +392,6 @@ allow container_t self:capability { chown dac_override dac_read_search fowner fs
dontaudit container_t self:capability2 block_suspend;
allow container_t self:process setrlimit;
allow container_t container_file_t:file entrypoint;
allow container_t container_file_t:filesystem getattr;
kernel_read_network_state(container_t)
@ -437,7 +446,8 @@ allow container_engine_domain container_port_t:tcp_socket name_bind;
dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh };
allow container_engine_domain container_domain:process2 { nnp_transition nosuid_transition };
allow container_engine_domain container_mountpoint_type:dir_file_class_set mounton;
allow container_engine_domain container_mountpoint_type:dir search_dir_perms;
allow container_engine_domain container_mountpoint_type:dir_file_class_set { getattr mounton };
corecmd_bin_entry_type(container_engine_domain)
corecmd_exec_bin(container_engine_domain)
@ -644,6 +654,11 @@ ps_process_pattern(container_engine_system_domain, container_system_domain)
allow container_system_domain container_engine_system_domain:fd use;
allow container_system_domain container_engine_system_domain:fifo_file rw_fifo_file_perms;
# for managing container storage on ZFS volumes
fstools_exec(container_engine_system_domain)
logging_send_syslog_msg(container_engine_system_domain)
create_dirs_pattern(container_engine_system_domain, container_config_t, container_config_t)
files_etc_filetrans(container_engine_system_domain, container_config_t, dir)
@ -683,6 +698,13 @@ allow container_engine_system_domain container_engine_cache_t:dir manage_dir_per
allow container_engine_system_domain container_engine_cache_t:file manage_file_perms;
files_var_filetrans(container_engine_system_domain, container_engine_cache_t, { dir file })
container_exec_plugins(container_engine_system_domain)
container_watch_plugin_dirs(container_engine_system_domain)
optional_policy(`
zfs_domtrans(container_engine_system_domain)
')
########################################
#
# Common user container engine local policy
@ -770,10 +792,11 @@ domtrans_pattern(container_engine_system_domain, container_file_t, spc_t)
domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
allow spc_t self:process setrlimit;
allow spc_t self:capability { sys_admin sys_resource };
allow spc_t self:process { getcap setrlimit };
allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid sys_admin sys_ptrace sys_rawio sys_resource };
allow spc_t self:capability2 { bpf perfmon };
allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow spc_t self:netlink_generic_socket create_socket_perms;
allow spc_t self:netlink_netfilter_socket create_socket_perms;
allow spc_t self:netlink_xfrm_socket create_socket_perms;
@ -782,6 +805,19 @@ allow container_engine_system_domain spc_t:process { setsched signal_perms };
allow spc_t container_engine_system_domain:fifo_file rw_fifo_file_perms;
# for kubernetes debug pods - for some reason,
# cri-o does not relabel the container's /dev
# when a debug pod is created, so the user will
# be unable to attach to its terminal unless
# this is allowed
allow spc_t container_engine_tmpfs_t:dir list_dir_perms;
allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
# for kubernetes storage class providers
allow spc_t container_file_t:{ dir file } mounton;
allow spc_t container_file_t:dir_file_class_set { relabelfrom relabelto };
allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
allow spc_t container_runtime_t:file manage_file_perms;
allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
@ -790,7 +826,10 @@ dev_mounton_sysfs_dirs(spc_t)
dev_read_sysfs(spc_t)
fs_read_nsfs_files(spc_t)
fs_mount_xattr_fs(spc_t)
fs_unmount_xattr_fs(spc_t)
fs_mount_cgroup(spc_t)
fs_mounton_cgroup(spc_t)
fs_list_cgroup_dirs(spc_t)
fs_mount_bpf(spc_t)
fs_create_bpf_dirs(spc_t)
@ -801,15 +840,21 @@ fs_watch_tmpfs_dirs(spc_t)
kernel_load_module(spc_t)
kernel_request_load_module(spc_t)
kernel_read_network_state(spc_t)
kernel_read_vm_overcommit_sysctl(spc_t)
kernel_dontaudit_list_unlabeled(spc_t)
init_dbus_chat(spc_t)
init_run_bpf(spc_t)
storage_raw_rw_fixed_disk(spc_t)
init_read_state(spc_t)
iptables_read_runtime_files(spc_t)
modutils_read_module_deps(spc_t)
container_list_plugins(spc_t)
# for kubernetes debug pods
term_use_generic_ptys(spc_t)
container_list_plugin_dirs(spc_t)
container_manage_plugin_files(spc_t)
container_create_config_files(spc_t)
@ -821,7 +866,12 @@ container_manage_log_files(spc_t)
container_manage_var_lib_dirs(spc_t)
container_manage_var_lib_files(spc_t)
allow spc_t container_var_lib_t:file map;
container_map_var_lib_files(spc_t)
ifdef(`init_systemd',`
init_dbus_chat(spc_t)
init_run_bpf(spc_t)
')
optional_policy(`
dbus_system_bus_client(spc_t)
@ -836,6 +886,7 @@ optional_policy(`
kubernetes_watch_plugin_dirs(spc_t)
kubernetes_manage_plugin_files(spc_t)
# Calico runs as a privileged container
kubernetes_run_engine_bpf(spc_t)
')

View File

@ -10,7 +10,6 @@ container_system_engine(crio_t)
kubernetes_container_engine(crio_t)
type crio_exec_t;
container_engine_executable_file(crio_exec_t)
application_domain(crio_t, crio_exec_t)
init_daemon_domain(crio_t, crio_exec_t)
ifdef(`enable_mls',`
init_ranged_daemon_domain(crio_t, crio_exec_t, s0 - mls_systemhigh)
@ -74,7 +73,7 @@ optional_policy(`
# crio conmon local policy
#
allow crio_conmon_t self:capability { sys_ptrace sys_resource };
allow crio_conmon_t self:capability { kill sys_ptrace sys_resource };
files_search_tmp(crio_conmon_t)
@ -83,10 +82,12 @@ fs_list_cgroup_dirs(crio_conmon_t)
init_rw_inherited_stream_socket(crio_conmon_t)
init_use_fds(crio_conmon_t)
container_getpgid_all_containers(crio_conmon_t)
container_kill_all_containers(crio_conmon_t)
container_read_all_container_state(crio_conmon_t)
# for kubernetes debug pods
container_use_container_ptys(crio_conmon_t)
# crio logs are tmp files
container_manage_engine_tmp_files(crio_conmon_t)
container_manage_engine_tmp_sock_files(crio_conmon_t)
@ -103,3 +104,6 @@ container_manage_var_lib_fifo_files(crio_conmon_t)
container_manage_var_lib_sock_files(crio_conmon_t)
container_manage_log_files(crio_conmon_t)
kubernetes_getpgid_containers(crio_conmon_t)
kubernetes_kubelet_kill(crio_conmon_t)

View File

@ -30,7 +30,7 @@ template(`kubernetes_kubectl_role',`
gen_require(`
attribute kubectl_domain;
type kubectl_exec_t;
type kubernetes_conf_home_t;
type kubernetes_home_t;
')
########################################
@ -49,17 +49,17 @@ template(`kubernetes_kubectl_role',`
domtrans_pattern($3, kubectl_exec_t, $1_kubectl_t)
allow $2 kubernetes_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 kubernetes_conf_home_t:file { manage_file_perms relabel_file_perms };
allow $2 kubernetes_conf_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
userdom_user_home_dir_filetrans($2, kubernetes_conf_home_t, dir, ".kube")
allow $2 kubernetes_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 kubernetes_home_t:file { manage_file_perms relabel_file_perms };
allow $2 kubernetes_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
userdom_user_home_dir_filetrans($2, kubernetes_home_t, dir, ".kube")
allow $3 $1_kubectl_t:process { ptrace signal_perms };
ps_process_pattern($3, $1_kubectl_t)
auth_use_nsswitch($1_kubectl_t)
# kubectl executes an editor when editing files
# kubectl executes an editor when editing files.
# transition back to the user domain when running them
corecmd_bin_domtrans($1_kubectl_t, $2)
@ -133,6 +133,44 @@ interface(`kubernetes_read_kubelet_state',`
ps_process_pattern($1, kubelet_t)
')
#######################################
## <summary>
## Inherit and use file descriptors from
## kubelet.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_use_kubelet_fds',`
gen_require(`
type kubelet_t;
')
allow $1 kubelet_t:fd use;
')
#######################################
## <summary>
## Allow kubelet to send a kill signal
## to the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_kubelet_kill',`
gen_require(`
type kubelet_t;
')
allow kubelet_t $1:process sigkill;
')
#######################################
## <summary>
## Execute kubeadm in the kubeadm domain.
@ -200,6 +238,28 @@ interface(`kubernetes_container_engine',`
typeattribute $1 kubernetes_container_engine_domain;
')
########################################
## <summary>
## Associated the specified domain to
## be a domain which is capable of
## operating as a container domain
## which can be spawned by kubernetes.
## engine.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_container',`
gen_require(`
attribute kubernetes_container_domain;
')
typeattribute $1 kubernetes_container_domain;
')
########################################
## <summary>
## Allow the specified file type to be
@ -219,6 +279,26 @@ interface(`kubernetes_mountpoint',`
typeattribute $1 kubernetes_mountpoint_type;
')
########################################
## <summary>
## Allow the specified domain to
## get the process group ID of all
## kubernetes containers.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kubernetes_getpgid_containers',`
gen_require(`
attribute kubernetes_container_domain;
')
allow $1 kubernetes_container_domain:process getpgid;
')
########################################
## <summary>
## Run kubernetes container engine bpf
@ -314,6 +394,24 @@ interface(`kubernetes_watch_config_dirs',`
allow $1 kubernetes_config_t:dir watch;
')
########################################
## <summary>
## Manage kubernetes config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_manage_config_files',`
gen_require(`
type kubernetes_config_t;
')
manage_files_pattern($1, kubernetes_config_t, kubernetes_config_t)
')
########################################
## <summary>
## Mount on kubernetes config files.
@ -351,6 +449,27 @@ interface(`kubernetes_watch_config_files',`
allow $1 kubernetes_config_t:file watch;
')
########################################
## <summary>
## Allow the specified domain to search
## through the contents of kubernetes plugin
## directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_search_plugin_dirs',`
gen_require(`
type kubernetes_plugin_t;
')
corecmd_search_bin($1)
allow $1 kubernetes_plugin_t:dir search_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to list
@ -412,6 +531,7 @@ interface(`kubernetes_manage_plugin_files',`
########################################
## <summary>
## List the contents of kubernetes tmpfs
## directories.
## </summary>
## <param name="domain">
## <summary>
@ -707,7 +827,7 @@ interface(`kubernetes_admin',`
type kubectl_exec_t;
type kubernetes_config_t, kubernetes_tmp_t;
type kubernetes_tmpfs_t, kubernetes_runtime_t;
type kubernetes_conf_home_t;
type kubernetes_home_t;
')
container_admin($1, $2)
@ -721,6 +841,8 @@ interface(`kubernetes_admin',`
# kubectl executes an editor when editing files
# transition back to the user domain when running them
corecmd_bin_domtrans(kubectl_t, $1)
allow $1 kubectl_t:fd use;
allow $1 kubectl_t:fifo_file rw_inherited_fifo_file_perms;
allow $1 kubeadm_t:process { ptrace signal_perms };
ps_process_pattern($1, kubeadm_t)
@ -734,17 +856,17 @@ interface(`kubernetes_admin',`
files_search_etc($1)
admin_pattern($1, kubernetes_config_t)
files_search_runtime($1)
admin_pattern($1, kubernetes_runtime_t)
files_search_tmp($1)
admin_pattern($1, kubernetes_tmp_t)
fs_search_tmpfs($1)
admin_pattern($1, kubernetes_tmpfs_t)
files_search_runtime($1)
admin_pattern($1, kubernetes_runtime_t)
admin_pattern($1, kubernetes_conf_home_t)
userdom_user_home_dir_filetrans($1, kubernetes_conf_home_t, dir, ".kube")
admin_pattern($1, kubernetes_home_t)
userdom_user_home_dir_filetrans($1, kubernetes_home_t, dir, ".kube")
optional_policy(`
crio_admin($1, $2)

View File

@ -20,12 +20,11 @@ attribute kubernetes_container_domain;
# on by kubernetes containers
attribute kubernetes_mountpoint_type;
# common attribute for all kubectl domains
# attribute for kubectl domains
attribute kubectl_domain;
type kubelet_t;
type kubelet_t, kubectl_domain;
type kubelet_exec_t;
domain_type(kubelet_t)
container_engine_executable_file(kubelet_exec_t)
init_daemon_domain(kubelet_t, kubelet_exec_t)
role kubernetes_roles types kubelet_t;
@ -51,12 +50,12 @@ type kubernetes_runtime_t;
files_runtime_file(kubernetes_runtime_t)
kubernetes_mountpoint(kubernetes_runtime_t)
# files created in /tmp by kubectl for editing
type kubernetes_tmp_t;
files_tmp_file(kubernetes_tmp_t)
type kubernetes_tmpfs_t;
files_type(kubernetes_tmpfs_t)
kubernetes_mountpoint(kubernetes_tmpfs_t)
type kubernetes_unit_t;
init_unit_file(kubernetes_unit_t)
@ -69,17 +68,29 @@ xdg_config_content(kubernetes_home_t)
# common kubernetes container engine policy
#
allow kubernetes_container_engine_domain kubernetes_mountpoint_type:dir search_dir_perms;
allow kubernetes_container_engine_domain kubernetes_mountpoint_type:dir_file_class_set { getattr mounton };
allow kubernetes_container_engine_domain kubernetes_container_domain:process getpgid;
ps_process_pattern(kubernetes_container_engine_domain, kubernetes_container_domain)
# for kubectl port-forward
corenet_tcp_connect_all_ports(kubernetes_container_engine_domain)
files_getattr_kernel_modules(kubernetes_container_engine_domain)
# for replicated storage that may be mounted in /mnt
files_search_mnt(kubernetes_container_engine_domain)
fs_mounton_tmpfs(kubernetes_container_engine_domain)
fs_relabelfrom_tmpfs_dirs(kubernetes_container_engine_domain)
# for relabeling newly provisioned persistent volumes
kernel_list_unlabeled(kubernetes_container_engine_domain)
kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain)
iptables_getattr_runtime_files(kubernetes_container_engine_domain)
corecmd_search_bin(kubernetes_container_engine_domain)
allow kubernetes_container_engine_domain kubernetes_plugin_t:dir search_dir_perms;
container_use_container_ptys(kubernetes_container_engine_domain)
container_exec_plugins(kubernetes_container_engine_domain)
@ -87,8 +98,10 @@ container_exec_plugins(kubernetes_container_engine_domain)
container_search_logs(kubernetes_container_engine_domain)
container_watch_log_dirs(kubernetes_container_engine_domain)
container_filetrans_var_lib_file(kubernetes_container_engine_domain, dir, "calico")
container_filetrans_var_lib_file(kubernetes_container_engine_domain, dir, "etcd")
container_var_lib_filetrans_file(kubernetes_container_engine_domain, dir, "calico")
container_var_lib_filetrans_file(kubernetes_container_engine_domain, dir, "etcd")
kubernetes_search_plugin_dirs(kubernetes_container_engine_domain)
ifdef(`init_systemd',`
init_dbus_chat(kubernetes_container_engine_domain)
@ -102,13 +115,49 @@ ifdef(`init_systemd',`
init_stop_transient_units(kubernetes_container_engine_domain)
')
tunable_policy(`container_manage_public_content',`
miscfiles_mounton_all_public_dirs(kubernetes_container_engine_domain)
miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
')
tunable_policy(`container_read_public_content',`
miscfiles_mounton_all_public_dirs(kubernetes_container_engine_domain)
miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
')
########################################
#
# common kubernetes container policy
#
allow kubernetes_container_domain kubernetes_container_engine_domain:fd use;
# for control plane IPC
container_stream_connect_spec_container(kubernetes_container_domain, kubernetes_container_domain)
container_manage_var_lib_dirs(kubernetes_container_domain)
container_manage_var_lib_files(kubernetes_container_domain)
container_map_var_lib_files(kubernetes_container_domain)
# for kube-apiserver if using an volume for storing logs
container_list_log_dirs(kubernetes_container_domain)
container_create_log_dirs(kubernetes_container_domain)
container_manage_log_files(kubernetes_container_domain)
kubernetes_watch_config_dirs(kubernetes_container_domain)
kubernetes_watch_config_files(kubernetes_container_domain)
kubernetes_list_plugins(kubernetes_container_domain)
kubernetes_watch_plugin_dirs(kubernetes_container_domain)
kubernetes_manage_plugin_files(kubernetes_container_domain)
########################################
#
# kubelet local policy
#
allow kubelet_t self:process { getattr getsched setrlimit signal };
allow kubelet_t self:capability { chown dac_override dac_read_search net_admin net_raw sys_ptrace sys_resource };
allow kubelet_t self:capability { chown dac_override dac_read_search fowner fsetid kill net_admin net_raw sys_ptrace sys_resource };
allow kubelet_t self:cap_userns sys_ptrace;
allow kubelet_t self:fifo_file rw_fifo_file_perms;
allow kubelet_t self:rawip_socket create_socket_perms;
@ -116,13 +165,18 @@ allow kubelet_t self:tcp_socket create_stream_socket_perms;
allow kubelet_t self:unix_dgram_socket create_socket_perms;
allow kubelet_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kubelet_t kubernetes_container_engine_domain:process sigkill;
allow kubelet_t kubernetes_container_domain:process sigkill;
allow kubelet_t kubernetes_mountpoint_type:dir search_dir_perms;
allow kubelet_t kubernetes_plugin_t:dir { create_dir_perms list_dir_perms watch };
allow kubelet_t kubernetes_plugin_t:file { create_file_perms rw_file_perms };
manage_files_pattern(kubelet_t, kubernetes_plugin_t, kubernetes_plugin_t)
can_exec(kubelet_t, kubernetes_plugin_t)
# kubelet drops plugins in /usr/libexec/kubernetes
corecmd_bin_filetrans(kubelet_t, kubernetes_plugin_t, dir, "kubernetes")
allow kubelet_t kubernetes_config_t:dir { list_dir_perms watch };
allow kubelet_t kubernetes_config_t:dir { create_dir_perms list_dir_perms watch };
allow kubelet_t kubernetes_config_t:file { read_file_perms watch };
allow kubelet_t kubernetes_config_t:lnk_file read_lnk_file_perms;
files_etc_filetrans(kubelet_t, kubernetes_config_t, dir)
@ -137,6 +191,10 @@ allow kubelet_t kubernetes_runtime_t:file manage_file_perms;
allow kubelet_t kubernetes_runtime_t:sock_file manage_sock_file_perms;
files_runtime_filetrans(kubelet_t, kubernetes_runtime_t, { dir file sock_file })
# kubelet detects unsafe mount behavior in /tmp by creating and unmounting a dir
manage_dirs_pattern(kubelet_t, kubernetes_tmp_t, kubernetes_tmp_t)
files_tmp_filetrans(kubelet_t, kubernetes_tmp_t, dir)
kubernetes_manage_tmpfs_dirs(kubelet_t)
kubernetes_manage_tmpfs_files(kubelet_t)
kubernetes_manage_tmpfs_symlinks(kubelet_t)
@ -149,9 +207,8 @@ corenet_tcp_bind_kubernetes_port(kubelet_t)
corenet_tcp_connect_kubernetes_port(kubelet_t)
corenet_tcp_connect_all_unreserved_ports(kubelet_t)
corecmd_search_bin(kubelet_t)
corecmd_watch_bin_dirs(kubelet_t)
corecmd_exec_bin(kubelet_t)
corecmd_watch_bin_dirs(kubelet_t)
dev_getattr_mtrr_dev(kubelet_t)
dev_read_kmsg(kubelet_t)
@ -161,33 +218,34 @@ domain_dontaudit_read_all_domains_state(kubelet_t)
domain_setpriority_all_domains(kubelet_t)
files_dontaudit_getattr_all_dirs(kubelet_t)
files_dontaudit_search_mnt(kubelet_t)
files_dontaudit_search_tmp(kubelet_t)
files_search_tmp(kubelet_t)
# search mnt for using persistent storage, if mounted there
files_search_mnt(kubelet_t)
files_read_kernel_symbol_table(kubelet_t)
# read /usr/share/mime/globs2
files_read_usr_files(kubelet_t)
fs_getattr_tmpfs(kubelet_t)
fs_search_tmpfs(kubelet_t)
fs_setattr_tmpfs_dirs(kubelet_t)
fs_getattr_xattr_fs(kubelet_t)
fs_getattr_cgroup(kubelet_t)
fs_list_cgroup_dirs(kubelet_t)
fs_manage_cgroup_dirs(kubelet_t)
fs_manage_cgroup_files(kubelet_t)
fs_watch_cgroup_dirs(kubelet_t)
fs_rw_cgroup_files(kubelet_t)
kernel_dontaudit_getattr_proc(kubelet_t)
kernel_getattr_message_if(kubelet_t)
kernel_read_ring_buffer(kubelet_t)
kernel_read_irq_sysctls(kubelet_t)
kernel_read_network_state(kubelet_t)
kernel_read_system_state(kubelet_t)
kernel_read_state(kubelet_t)
kernel_rw_kernel_sysctl(kubelet_t)
kernel_rw_net_sysctls(kubelet_t)
kernel_rw_vm_overcommit_sysctl(kubelet_t)
kernel_dontaudit_getattr_proc(kubelet_t)
kernel_read_state(kubelet_t)
storage_dontaudit_getattr_fixed_disk_dev(kubelet_t)
storage_getattr_fixed_disk_dev(kubelet_t)
auth_use_nsswitch(kubelet_t)
@ -205,6 +263,13 @@ miscfiles_read_localization(kubelet_t)
modutils_domtrans(kubelet_t)
mount_domtrans(kubelet_t)
# for kubelet's metrics gathering
mount_read_state(kubelet_t)
# kubelet performs CSI driver actions. At startup, kubelet determines
# if SELinux is enabled in order to relabel newly provisioned volumes
selinux_get_fs_mount(kubelet_t)
selinux_get_enforce_mode(kubelet_t)
seutil_read_default_contexts(kubelet_t)
@ -227,19 +292,6 @@ container_stream_connect_spec_container(kubelet_t, kubernetes_container_domain)
container_read_all_container_state(kubelet_t)
container_read_all_container_engine_state(kubelet_t)
container_list_var_lib(kubelet_t)
container_manage_dirs(kubelet_t)
container_manage_files(kubelet_t)
container_manage_lnk_files(kubelet_t)
container_manage_sock_files(kubelet_t)
container_rw_fifo_files(kubelet_t)
container_watch_dirs(kubelet_t)
container_list_ro_dirs(kubelet_t)
container_manage_log_dirs(kubelet_t)
container_manage_log_files(kubelet_t)
container_manage_log_symlinks(kubelet_t)
# kubelet will preemptively relabel container
# files to the same label even if the labels
# are correct, so just dontaudit these
@ -258,9 +310,30 @@ container_filetrans_var_lib_file(kubelet_t, dir, "pods")
container_filetrans_var_lib_file(kubelet_t, dir, "plugins")
container_filetrans_var_lib_file(kubelet_t, dir, "plugins_registry")
container_manage_dirs(kubelet_t)
container_manage_files(kubelet_t)
container_manage_lnk_files(kubelet_t)
container_manage_sock_files(kubelet_t)
container_rw_fifo_files(kubelet_t)
container_watch_dirs(kubelet_t)
container_list_ro_dirs(kubelet_t)
container_relabel_all_content(kubelet_t)
container_manage_log_dirs(kubelet_t)
container_manage_log_files(kubelet_t)
container_manage_log_symlinks(kubelet_t)
container_watch_log_files(kubelet_t)
container_log_filetrans(kubelet_t, { dir file })
kubernetes_manage_tmpfs_dirs(kubelet_t)
kubernetes_manage_tmpfs_files(kubelet_t)
kubernetes_manage_tmpfs_symlinks(kubelet_t)
fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
ifdef(`init_systemd',`
init_dbus_chat(kubelet_t)
init_get_system_status(kubelet_t)
init_start_system(kubelet_t)
init_stop_system(kubelet_t)
init_get_transient_units_status(kubelet_t)
@ -272,9 +345,21 @@ ifdef(`init_systemd',`
kubernetes_stop_unit(kubelet_t)
')
optional_policy(`
docker_read_state(kubelet_t)
docker_write_state(kubelet_t)
tunable_policy(`container_manage_public_content',`
miscfiles_search_public_dirs(kubelet_t)
')
tunable_policy(`container_read_public_content',`
miscfiles_search_public_dirs(kubelet_t)
')
tunable_policy(`container_use_nfs',`
fs_getattr_nfs(kubelet_t)
fs_getattr_nfsd_fs(kubelet_t)
fs_search_nfsd_fs(kubelet_t)
fs_manage_nfs_dirs(kubelet_t)
fs_manage_nfs_files(kubelet_t)
fs_manage_nfs_symlinks(kubelet_t)
')
optional_policy(`
@ -298,13 +383,14 @@ allow kubeadm_t self:unix_dgram_socket create_socket_perms;
domtrans_pattern(kubeadm_t, kubelet_exec_t, kubelet_t)
ps_process_pattern(kubeadm_t, kubelet_t)
allow kubeadm_t kubernetes_mountpoint_type:dir search_dir_perms;
manage_dirs_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
manage_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
manage_lnk_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
allow kubeadm_t kubernetes_home_t:dir search_dir_perms;
allow kubeadm_t kubernetes_home_t:file read_file_perms;
allow kubeadm_t kubernetes_home_t:lnk_file read_lnk_file_perms;
read_files_pattern(kubeadm_t, kubernetes_home_t, kubernetes_home_t)
read_lnk_files_pattern(kubeadm_t, kubernetes_home_t, kubernetes_home_t)
corenet_tcp_bind_generic_node(kubeadm_t)
@ -318,24 +404,27 @@ corecmd_exec_bin(kubeadm_t)
domain_use_interactive_fds(kubeadm_t)
files_read_boot_files(kubeadm_t)
files_read_etc_files(kubeadm_t)
files_search_kernel_modules(kubeadm_t)
files_search_src(kubeadm_t)
files_read_usr_files(kubeadm_t)
files_read_usr_src_files(kubeadm_t)
# not actually required, but useful for reading manifests copied to /tmp
files_search_tmp(kubeadm_t)
fs_getattr_tmpfs(kubeadm_t)
fs_list_tmpfs(kubeadm_t)
fs_unmount_tmpfs(kubeadm_t)
fs_manage_tmpfs_dirs(kubeadm_t)
fs_getattr_xattr_fs(kubeadm_t)
fs_unmount_xattr_fs(kubeadm_t)
fs_getattr_cgroup(kubeadm_t)
fs_search_cgroup_dirs(kubeadm_t)
fs_read_cgroup_files(kubeadm_t)
kernel_read_network_state(kubeadm_t)
kernel_read_system_state(kubeadm_t)
kernel_read_net_sysctls(kubeadm_t)
kernel_read_kernel_sysctls(kubeadm_t)
kernel_read_net_sysctls(kubeadm_t)
kernel_dontaudit_getattr_proc(kubeadm_t)
auth_use_nsswitch(kubeadm_t)
@ -356,26 +445,23 @@ userdom_search_user_home_content(kubeadm_t)
userdom_use_user_terminals(kubeadm_t)
userdom_lock_user_terminals(kubeadm_t)
# getattr on /run/docker.sock
container_getattr_runtime_sock_files(kubeadm_t)
# for connecting to cri-o and maybe others
container_stream_connect_system_engine(kubeadm_t)
container_list_var_lib(kubeadm_t)
container_manage_var_lib_dirs(kubeadm_t)
container_manage_var_lib_files(kubeadm_t)
container_filetrans_var_lib_file(kubeadm_t, dir, "etcd")
container_manage_dirs(kubeadm_t)
container_manage_files(kubeadm_t)
container_manage_lnk_files(kubeadm_t)
container_manage_sock_files(kubeadm_t)
container_manage_var_lib_dirs(kubeadm_t)
container_manage_var_lib_files(kubeadm_t)
container_manage_var_lib_lnk_files(kubeadm_t)
container_manage_var_lib_sock_files(kubeadm_t)
container_var_lib_filetrans(kubeadm_t, dir)
container_var_lib_filetrans_file(kubeadm_t, dir)
container_manage_dirs(kubeadm_t)
container_manage_files(kubeadm_t)
container_manage_chr_files(kubeadm_t)
container_manage_fifo_files(kubeadm_t)
container_manage_lnk_files(kubeadm_t)
container_manage_sock_files(kubeadm_t)
kubernetes_list_tmpfs(kubeadm_t)
kubernetes_read_tmpfs_symlinks(kubeadm_t)
ifdef(`init_systemd',`
init_get_system_status(kubeadm_t)
@ -391,9 +477,8 @@ ifdef(`init_systemd',`
systemd_read_journal_files(kubeadm_t)
')
optional_policy(`
docker_domtrans_cli(kubeadm_t)
docker_read_state(kubeadm_t)
tunable_policy(`container_use_nfs',`
fs_unmount_nfs(kubeadm_t)
')
########################################
@ -405,30 +490,36 @@ allow kubectl_domain self:process { getsched signal };
allow kubectl_domain self:fifo_file rw_fifo_file_perms;
allow kubectl_domain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
manage_files_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
read_lnk_files_pattern(kubectl_domain, kubernetes_conf_home_t, kubernetes_conf_home_t)
manage_dirs_pattern(kubectl_domain, kubernetes_home_t, kubernetes_home_t)
manage_files_pattern(kubectl_domain, kubernetes_home_t, kubernetes_home_t)
read_lnk_files_pattern(kubectl_domain, kubernetes_home_t, kubernetes_home_t)
files_search_tmp(kubectl_domain)
manage_dirs_pattern(kubectl_domain, kubernetes_tmp_t, kubernetes_tmp_t)
manage_files_pattern(kubectl_domain, kubernetes_tmp_t, kubernetes_tmp_t)
files_tmp_filetrans(kubectl_domain, kubernetes_tmp_t, file)
manage_lnk_files_pattern(kubectl_domain, kubernetes_tmp_t, kubernetes_tmp_t)
files_tmp_filetrans(kubectl_domain, kubernetes_tmp_t, { dir file })
corenet_tcp_bind_generic_node(kubectl_domain)
# binds to 8001 for proxy
corenet_tcp_bind_all_unreserved_ports(kubectl_domain)
corenet_tcp_bind_generic_node(kubectl_domain)
corenet_tcp_connect_http_port(kubectl_domain)
corenet_tcp_connect_http_cache_port(kubectl_domain)
corenet_tcp_connect_kubernetes_port(kubectl_domain)
domain_use_interactive_fds(kubectl_domain)
files_read_etc_files(kubectl_domain)
files_read_usr_files(kubectl_domain)
files_search_tmp(kubectl_domain)
kernel_dontaudit_search_network_sysctl(kubectl_domain)
miscfiles_read_generic_certs(kubectl_domain)
miscfiles_read_localization(kubectl_domain)
# allow users to store manifests in their home directories
userdom_manage_user_home_content_files(kubectl_domain)
userdom_use_user_terminals(kubectl_domain)
########################################
@ -437,3 +528,8 @@ userdom_use_user_terminals(kubectl_domain)
#
auth_use_nsswitch(kubectl_t)
# not required, but convenient for using config commands
# in the config directory
kubernetes_read_config(kubectl_t)
kubernetes_manage_config_files(kubectl_t)

View File

@ -39,9 +39,9 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
allow podman_t podman_conmon_t:process setsched;
# podman 4.0.0 now creates OCI networking configs
container_create_config_files(podman_t)
container_write_config_files(podman_t)
# podman creates OCI networking configs and will
# remove them when running podman system reset
container_manage_config_files(podman_t)
logging_send_syslog_msg(podman_t)

View File

@ -284,6 +284,12 @@ ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
')
optional_policy(`
tunable_policy(`container_use_nfs',`
kubernetes_use_kubelet_fds(rpcd_t)
')
')
optional_policy(`
automount_signal(rpcd_t)
automount_dontaudit_write_pipes(rpcd_t)

View File

@ -839,6 +839,26 @@ interface(`miscfiles_relabel_man_cache',`
relabel_files_pattern($1, man_cache_t, man_cache_t)
')
########################################
## <summary>
## Search public directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_search_public_dirs',`
gen_require(`
type public_content_t;
type public_content_rw_t;
')
allow $1 public_content_t:dir search_dir_perms;
allow $1 public_content_rw_t:dir search_dir_perms;
')
########################################
## <summary>
## Read public files used for file
@ -901,6 +921,46 @@ interface(`miscfiles_watch_public_dirs',`
allow $1 public_content_rw_t:dir watch;
')
########################################
## <summary>
## Mount on all public content directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_mounton_all_public_dirs',`
gen_require(`
type public_content_t;
type public_content_rw_t;
')
allow $1 public_content_t:dir mounton;
allow $1 public_content_rw_t:dir mounton;
')
########################################
## <summary>
## Mount on all public content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_mounton_all_public_files',`
gen_require(`
type public_content_t;
type public_content_rw_t;
')
allow $1 public_content_t:file mounton;
allow $1 public_content_rw_t:file mounton;
')
########################################
## <summary>
## Read TeX data

View File

@ -69,6 +69,24 @@ interface(`mount_exec',`
can_exec($1, mount_exec_t)
')
########################################
## <summary>
## Read the process state (/proc/pid) of mount.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mount_read_state',`
gen_require(`
type mount_t;
')
ps_process_pattern($1, mount_t)
')
########################################
## <summary>
## Send a generic signal to mount.

View File

@ -697,6 +697,10 @@ optional_policy(`
apt_use_fds(setfiles_t)
')
optional_policy(`
container_getattr_fs(setfiles_t)
')
optional_policy(`
# leaked file descriptors
udev_dontaudit_rw_dgram_sockets(setfiles_t)