kubernetes: initial policy module

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-05-10 13:55:10 -04:00
parent 79aeab71c8
commit d387288693
8 changed files with 976 additions and 2 deletions

View File

@ -1023,6 +1023,24 @@ interface(`fs_relabel_cgroup_symlinks',`
relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
## Watch cgroup directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_watch_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:dir watch;
')
########################################
## <summary>
## Mount on cgroup directories.

View File

@ -83,8 +83,10 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
/var/lib/containerd/[^/]+/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containerd/[^/]+/snapshots(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/device-plugins(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/plugins(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/plugins_registry(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)

View File

@ -609,6 +609,28 @@ interface(`container_domtrans',`
allow $1 container_domain:process transition;
')
########################################
## <summary>
## Connect to a system container engine
## domain over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_stream_connect_system_engine',`
gen_require(`
attribute container_engine_system_domain;
type container_runtime_t;
')
files_search_runtime($1)
stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_engine_system_domain)
allow $1 container_runtime_t:sock_file read_sock_file_perms;
')
########################################
## <summary>
## Connect to a system container domain
@ -750,6 +772,45 @@ interface(`container_mountpoint',`
typeattribute $1 container_mountpoint_type;
')
########################################
## <summary>
## Allow the specified domain to
## read container config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_read_config',`
gen_require(`
type container_config_t;
')
list_dirs_pattern($1, container_config_t, container_config_t)
read_files_pattern($1, container_config_t, container_config_t)
')
########################################
## <summary>
## Allow the specified domain to
## watch container config directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_watch_config_dirs',`
gen_require(`
type container_config_t;
')
allow $1 container_config_t:dir watch;
')
########################################
## <summary>
## Allow the specified domain to
@ -847,6 +908,25 @@ interface(`container_manage_dirs',`
manage_dirs_pattern($1, container_file_t, container_file_t)
')
########################################
## <summary>
## Allow the specified domain to
## watch container file directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_watch_dirs',`
gen_require(`
type container_file_t;
')
allow $1 container_file_t:dir watch;
')
########################################
## <summary>
## Allow the specified domain to
@ -866,6 +946,44 @@ interface(`container_manage_files',`
manage_files_pattern($1, container_file_t, container_file_t)
')
########################################
## <summary>
## Do not audit attempts to relabel
## container file directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`container_dontaudit_relabel_dirs',`
gen_require(`
type container_file_t;
')
dontaudit $1 container_file_t:dir { relabelfrom relabelto };
')
########################################
## <summary>
## Do not audit attempts to relabel
## container files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`container_dontaudit_relabel_files',`
gen_require(`
type container_file_t;
')
dontaudit $1 container_file_t:file { relabelfrom relabelto };
')
########################################
## <summary>
## Allow the specified domain to
@ -980,6 +1098,62 @@ interface(`container_manage_chr_files',`
manage_chr_files_pattern($1, container_file_t, container_file_t)
')
########################################
## <summary>
## Allow the specified domain to create
## objects in specified directories with
## an automatic type transition to the
## container file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Directory to transition on.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`container_spec_filetrans_file',`
gen_require(`
type container_file_t;
')
filetrans_pattern($1, $2, container_file_t, $3, $4)
')
########################################
## <summary>
## Allow the specified domain to list
## the contents of read-only container
## file directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_list_ro_dirs',`
gen_require(`
type container_ro_file_t;
')
allow $1 container_ro_file_t:dir list_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to
@ -1293,6 +1467,46 @@ interface(`container_search_runtime',`
allow $1 container_runtime_t:dir search_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to read
## runtime container files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_read_runtime_files',`
gen_require(`
type container_runtime_t;
')
files_search_runtime($1)
allow $1 container_runtime_t:file read_file_perms;
')
########################################
## <summary>
## Allow the specified domain to get
## the attributes runtime container of
## container runtime named sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_getattr_runtime_sock_files',`
gen_require(`
type container_runtime_t;
')
allow $1 container_runtime_t:sock_file getattr;
')
########################################
## <summary>
## Allow the specified domain to manage
@ -1331,6 +1545,25 @@ interface(`container_manage_runtime_fifo_files',`
manage_fifo_files_pattern($1, container_runtime_t, container_runtime_t)
')
########################################
## <summary>
## Allow the specified domain to manage
## runtime container symlinks.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_manage_runtime_lnk_files',`
gen_require(`
type container_runtime_t;
')
manage_lnk_files_pattern($1, container_runtime_t, container_runtime_t)
')
########################################
## <summary>
## Allow the specified domain to manage
@ -1408,6 +1641,46 @@ interface(`container_search_var_lib',`
allow $1 container_var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to list
## the contents of container directories
## in /var/lib.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_list_var_lib',`
gen_require(`
type container_var_lib_t;
')
files_search_var_lib($1)
allow $1 container_var_lib_t:dir list_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to manage
## container file directories in /var/lib.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_manage_var_lib_dirs',`
gen_require(`
type container_var_lib_t;
')
manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t)
')
########################################
## <summary>
## Allow the specified domain to manage
@ -1498,6 +1771,101 @@ interface(`container_unlabeled_var_lib_filetrans',`
kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
')
########################################
## <summary>
## Allow the specified domain to manage
## container log file directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_manage_log_dirs',`
gen_require(`
type container_log_t;
')
allow $1 container_log_t:dir manage_dir_perms;
')
########################################
## <summary>
## Allow the specified domain to create
## container log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_create_log_files',`
gen_require(`
type container_log_t;
')
create_files_pattern($1, container_log_t, container_log_t)
')
########################################
## <summary>
## Allow the specified domain to append
## data to container log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_append_log_files',`
gen_require(`
type container_log_t;
')
allow $1 container_log_t:file append_file_perms;
')
########################################
## <summary>
## Allow the specified domain to manage
## container log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_manage_log_files',`
gen_require(`
type container_log_t;
')
manage_files_pattern($1, container_log_t, container_log_t)
')
########################################
## <summary>
## Allow the specified domain to manage
## container log symlinks.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_manage_log_symlinks',`
gen_require(`
type container_log_t;
')
manage_lnk_files_pattern($1, container_log_t, container_log_t)
')
########################################
## <summary>
## Allow the specified domain to start

View File

@ -0,0 +1,19 @@
HOME_DIR/\.kube(/.*)? gen_context(system_u:object_r:kubernetes_home_t,s0)
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_config_t,s0)
/usr/bin/kubelet -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/bin/kubeadm -- gen_context(system_u:object_r:kubeadm_exec_t,s0)
/usr/lib/systemd/system/[^/]*kubelet.* -- gen_context(system_u:object_r:kubernetes_unit_t,s0)
/var/lib/calico(/.*)? gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
/var/lib/etcd(/.*)? gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
/var/lib/kube-proxy(/.*)? gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
/var/log/kubelet(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
/var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
/var/log/kube-controller-manager(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
/var/log/kube-proxy(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
/var/log/kube-scheduler(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)

View File

@ -0,0 +1,238 @@
## <summary>policy for kubernetes</summary>
#######################################
## <summary>
## Execute kubelet in the kubelet domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kubernetes_domtrans_kubelet',`
gen_require(`
type kubelet_t, kubelet_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kubelet_exec_t, kubelet_t)
')
########################################
## <summary>
## Execute kubelet in the kubelet domain,
## and allow the specified role the
## kubelet domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the kubelet domain.
## </summary>
## </param>
#
interface(`kubernetes_run_kubelet',`
gen_require(`
type kubelet_t;
')
role $2 types kubelet_t;
kubernetes_domtrans_kubelet($1)
')
#######################################
## <summary>
## Execute kubeadm in the kubeadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kubernetes_domtrans_kubeadm',`
gen_require(`
type kubeadm_t, kubeadm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kubeadm_exec_t, kubeadm_t)
')
########################################
## <summary>
## Execute kubeadm in the kubeadm domain,
## and allow the specified role the
## kubeadm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the kubeadm domain.
## </summary>
## </param>
#
interface(`kubernetes_run_kubeadm',`
gen_require(`
type kubeadm_t;
')
role $2 types kubeadm_t;
kubernetes_domtrans_kubeadm($1)
')
########################################
## <summary>
## Search kubernetes directories in /var/lib.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_search_var_lib',`
gen_require(`
type kubernetes_var_lib_t;
')
files_search_var_lib($1)
allow $1 kubernetes_var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Get the status of kubernetes systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_get_unit_status',`
gen_require(`
type kubernetes_unit_t;
class service status;
')
allow $1 kubernetes_unit_t:service status;
')
########################################
## <summary>
## Start kubernetes systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_start_unit',`
gen_require(`
type kubernetes_unit_t;
class service start;
')
allow $1 kubernetes_unit_t:service start;
')
########################################
## <summary>
## Stop kubernetes systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_stop_unit',`
gen_require(`
type kubernetes_unit_t;
class service stop;
')
allow $1 kubernetes_unit_t:service stop;
')
########################################
## <summary>
## Reload kubernetes systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_reload_unit',`
gen_require(`
type kubernetes_unit_t;
class service reload;
')
allow $1 kubernetes_unit_t:service reload;
')
#######################################
## <summary>
## All of the rules required to administrate
## a kubernetes environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kubernetes_admin',`
gen_require(`
type kubeadm_t, kubelet_t;
type kubernetes_config_t, kubernetes_tmpfs_t;
type kubernetes_runtime_t, kubernetes_var_lib_t;
type kubernetes_log_t;
')
kubernetes_run_kubeadm($1, $2)
kubernetes_run_kubelet($1, $2)
allow $1 kubeadm_t:process { ptrace signal_perms };
ps_process_pattern($1, kubeadm_t)
allow $1 kubelet_t:process { ptrace signal_perms };
ps_process_pattern($1, kubelet_t)
files_search_etc($1)
admin_pattern($1, kubernetes_config_t)
fs_search_tmpfs($1)
admin_pattern($1, kubernetes_tmpfs_t)
files_search_runtime($1)
admin_pattern($1, kubernetes_runtime_t)
files_search_var_lib($1)
admin_pattern($1, kubernetes_var_lib_t)
logging_search_logs($1)
admin_pattern($1, kubernetes_log_t)
')

View File

@ -0,0 +1,292 @@
policy_module(kubernetes)
########################################
#
# Declarations
#
attribute_role kubernetes_roles;
roleattribute system_r kubernetes_roles;
type kubelet_t;
type kubelet_exec_t;
domain_type(kubelet_t)
container_engine_executable_file(kubelet_exec_t)
init_daemon_domain(kubelet_t, kubelet_exec_t)
role kubernetes_roles types kubelet_t;
type kubeadm_t;
type kubeadm_exec_t;
application_domain(kubeadm_t, kubeadm_exec_t)
role kubernetes_roles types kubeadm_t;
type kubernetes_config_t;
files_config_file(kubernetes_config_t)
type kubernetes_tmpfs_t;
files_tmpfs_file(kubernetes_tmpfs_t)
type kubernetes_runtime_t;
files_runtime_file(kubernetes_runtime_t)
type kubernetes_var_lib_t;
files_type(kubernetes_var_lib_t)
type kubernetes_log_t;
logging_log_file(kubernetes_log_t)
type kubernetes_unit_t;
init_unit_file(kubernetes_unit_t)
type kubernetes_home_t;
xdg_config_content(kubernetes_home_t)
########################################
#
# kubelet local policy
#
allow kubelet_t self:process { getattr getsched setrlimit signal };
allow kubelet_t self:capability { chown dac_read_search net_raw sys_ptrace sys_resource };
dontaudit kubelet_t self:capability net_admin;
allow kubelet_t self:cap_userns sys_ptrace;
allow kubelet_t self:fifo_file rw_fifo_file_perms;
allow kubelet_t self:rawip_socket create_socket_perms;
allow kubelet_t self:tcp_socket create_stream_socket_perms;
allow kubelet_t self:unix_dgram_socket create_socket_perms;
allow kubelet_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kubelet_t kubernetes_config_t:dir { list_dir_perms watch };
allow kubelet_t kubernetes_config_t:file { read_file_perms watch };
allow kubelet_t kubernetes_config_t:lnk_file read_lnk_file_perms;
files_etc_filetrans(kubelet_t, kubernetes_config_t, dir)
allow kubelet_t kubernetes_tmpfs_t:dir manage_dir_perms;
allow kubelet_t kubernetes_tmpfs_t:file manage_file_perms;
allow kubelet_t kubernetes_tmpfs_t:lnk_file manage_lnk_file_perms;
fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
allow kubelet_t kubernetes_runtime_t:dir manage_dir_perms;
allow kubelet_t kubernetes_runtime_t:file manage_file_perms;
allow kubelet_t kubernetes_runtime_t:sock_file manage_sock_file_perms;
files_runtime_filetrans(kubelet_t, kubernetes_runtime_t, { dir file sock_file })
allow kubelet_t kubernetes_var_lib_t:dir manage_dir_perms;
allow kubelet_t kubernetes_var_lib_t:file manage_file_perms;
allow kubelet_t kubernetes_var_lib_t:lnk_file manage_lnk_file_perms;
allow kubelet_t kubernetes_var_lib_t:sock_file manage_sock_file_perms;
files_var_lib_filetrans(kubelet_t, kubernetes_var_lib_t, dir)
container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "device-plugins")
container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "pods")
container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "plugins")
container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "plugins_registry")
logging_log_filetrans(kubelet_t, kubernetes_log_t, { dir file })
corenet_tcp_bind_generic_node(kubelet_t)
corenet_tcp_bind_kubernetes_port(kubelet_t)
corenet_tcp_connect_kubernetes_port(kubelet_t)
corecmd_search_bin(kubelet_t)
corecmd_watch_bin_dirs(kubelet_t)
corecmd_exec_bin(kubelet_t)
dev_getattr_mtrr_dev(kubelet_t)
dev_read_kmsg(kubelet_t)
dev_read_sysfs(kubelet_t)
domain_dontaudit_read_all_domains_state(kubelet_t)
domain_setpriority_all_domains(kubelet_t)
files_dontaudit_getattr_all_dirs(kubelet_t)
files_dontaudit_search_mnt(kubelet_t)
files_dontaudit_search_tmp(kubelet_t)
files_read_kernel_symbol_table(kubelet_t)
# read /usr/share/mime/globs2
files_read_usr_files(kubelet_t)
fs_getattr_tmpfs(kubelet_t)
fs_search_tmpfs(kubelet_t)
fs_getattr_xattr_fs(kubelet_t)
fs_getattr_cgroup(kubelet_t)
fs_list_cgroup_dirs(kubelet_t)
fs_watch_cgroup_dirs(kubelet_t)
fs_rw_cgroup_files(kubelet_t)
kernel_getattr_message_if(kubelet_t)
kernel_read_ring_buffer(kubelet_t)
kernel_read_irq_sysctls(kubelet_t)
kernel_read_network_state(kubelet_t)
kernel_read_system_state(kubelet_t)
kernel_rw_kernel_sysctl(kubelet_t)
kernel_rw_net_sysctls(kubelet_t)
kernel_rw_vm_overcommit_sysctl(kubelet_t)
kernel_dontaudit_getattr_proc(kubelet_t)
storage_getattr_fixed_disk_dev(kubelet_t)
auth_use_nsswitch(kubelet_t)
iptables_domtrans(kubelet_t)
iptables_getattr_runtime_files(kubelet_t)
miscfiles_read_localization(kubelet_t)
logging_send_syslog_msg(kubelet_t)
modutils_domtrans(kubelet_t)
mount_domtrans(kubelet_t)
seutil_read_default_contexts(kubelet_t)
userdom_dontaudit_search_user_runtime_root(kubelet_t)
dbus_list_system_bus_runtime(kubelet_t)
dbus_system_bus_client(kubelet_t)
container_read_config(kubelet_t)
container_getattr_fs(kubelet_t)
# read /run/docker.pid
container_read_runtime_files(kubelet_t)
# connect to docker, podman, etc.
container_stream_connect_system_engine(kubelet_t)
container_list_var_lib(kubelet_t)
container_manage_dirs(kubelet_t)
container_manage_files(kubelet_t)
container_manage_lnk_files(kubelet_t)
container_manage_sock_files(kubelet_t)
container_watch_dirs(kubelet_t)
container_list_ro_dirs(kubelet_t)
container_manage_log_dirs(kubelet_t)
container_manage_log_files(kubelet_t)
container_manage_log_symlinks(kubelet_t)
# kubelet will preemptively relabel container
# files to the same label even if the labels
# are correct, so just dontaudit these
container_dontaudit_relabel_dirs(kubelet_t)
container_dontaudit_relabel_files(kubelet_t)
ifdef(`init_systemd',`
init_dbus_chat(kubelet_t)
init_start_system(kubelet_t)
init_get_transient_units_status(kubelet_t)
init_start_transient_units(kubelet_t)
init_stop_transient_units(kubelet_t)
kubernetes_get_unit_status(kubelet_t)
kubernetes_start_unit(kubelet_t)
kubernetes_stop_unit(kubelet_t)
')
optional_policy(`
docker_read_state(kubelet_t)
docker_write_state(kubelet_t)
')
########################################
#
# kubeadm local policy
#
allow kubeadm_t self:process { getsched signal };
dontaudit kubeadm_t self:capability net_admin;
allow kubeadm_t self:fifo_file rw_fifo_file_perms;
allow kubeadm_t self:netlink_route_socket create_netlink_socket_perms;
allow kubeadm_t self:tcp_socket create_stream_socket_perms;
allow kubeadm_t self:udp_socket create_socket_perms;
allow kubeadm_t self:unix_dgram_socket create_socket_perms;
domtrans_pattern(kubeadm_t, kubelet_exec_t, kubelet_t)
ps_process_pattern(kubeadm_t, kubelet_t)
manage_dirs_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
manage_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
manage_lnk_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
allow kubeadm_t kubernetes_var_lib_t:dir manage_dir_perms;
allow kubeadm_t kubernetes_var_lib_t:file manage_file_perms;
allow kubeadm_t kubernetes_var_lib_t:lnk_file manage_lnk_file_perms;
allow kubeadm_t kubernetes_var_lib_t:sock_file manage_sock_file_perms;
files_var_lib_filetrans(kubeadm_t, kubernetes_var_lib_t, dir)
allow kubeadm_t kubernetes_home_t:dir search_dir_perms;
allow kubeadm_t kubernetes_home_t:file read_file_perms;
allow kubeadm_t kubernetes_home_t:lnk_file read_lnk_file_perms;
corenet_tcp_bind_generic_node(kubeadm_t)
corenet_tcp_connect_http_port(kubeadm_t)
corenet_tcp_bind_kubernetes_port(kubeadm_t)
corenet_tcp_connect_kubernetes_port(kubeadm_t)
corecmd_getattr_all_executables(kubeadm_t)
corecmd_exec_bin(kubeadm_t)
domain_use_interactive_fds(kubeadm_t)
files_read_boot_files(kubeadm_t)
files_read_etc_files(kubeadm_t)
fs_getattr_tmpfs(kubeadm_t)
fs_getattr_xattr_fs(kubeadm_t)
fs_getattr_cgroup(kubeadm_t)
fs_search_cgroup_dirs(kubeadm_t)
fs_read_cgroup_files(kubeadm_t)
kernel_read_network_state(kubeadm_t)
kernel_read_system_state(kubeadm_t)
kernel_read_net_sysctls(kubeadm_t)
kernel_read_kernel_sysctls(kubeadm_t)
kernel_dontaudit_getattr_proc(kubeadm_t)
auth_use_nsswitch(kubeadm_t)
init_read_state(kubeadm_t)
init_write_runtime_socket(kubeadm_t)
logging_search_logs(kubeadm_t)
miscfiles_read_generic_certs(kubeadm_t)
miscfiles_read_localization(kubeadm_t)
userdom_search_user_home_content(kubeadm_t)
userdom_use_user_terminals(kubeadm_t)
userdom_lock_user_terminals(kubeadm_t)
# getattr on /run/docker.sock
container_getattr_runtime_sock_files(kubeadm_t)
# for connecting to cri-o and maybe others
container_stream_connect_system_engine(kubeadm_t)
container_list_var_lib(kubeadm_t)
container_manage_var_lib_dirs(kubeadm_t)
container_manage_var_lib_files(kubeadm_t)
container_manage_dirs(kubeadm_t)
container_manage_files(kubeadm_t)
container_manage_lnk_files(kubeadm_t)
container_manage_sock_files(kubeadm_t)
ifdef(`init_systemd',`
init_get_system_status(kubeadm_t)
init_reload(kubeadm_t)
init_get_generic_units_status(kubeadm_t)
kubernetes_get_unit_status(kubeadm_t)
kubernetes_start_unit(kubeadm_t)
kubernetes_stop_unit(kubeadm_t)
systemd_list_journal_dirs(kubeadm_t)
systemd_read_journal_files(kubeadm_t)
')
optional_policy(`
docker_domtrans_cli(kubeadm_t)
docker_read_state(kubeadm_t)
')

View File

@ -162,6 +162,24 @@ interface(`iptables_manage_config',`
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
########################################
## <summary>
## Get the attributes of iptables runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`iptables_getattr_runtime_files',`
gen_require(`
type iptables_runtime_t;
')
allow $1 iptables_runtime_t:file getattr;
')
########################################
## <summary>
## dontaudit reading iptables_runtime_t (Deprecated)

View File

@ -4292,6 +4292,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Lock user TTYs and PTYs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`userdom_lock_user_terminals',`
gen_require(`
type user_tty_device_t, user_devpts_t;
')
allow $1 user_tty_device_t:chr_file lock;
allow $1 user_devpts_t:chr_file lock;
')
########################################
## <summary>
## Execute a shell in all user domains. This