kubernetes: initial policy module
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
79aeab71c8
commit
d387288693
@ -1023,6 +1023,24 @@ interface(`fs_relabel_cgroup_symlinks',`
|
||||
relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Watch cgroup directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_watch_cgroup_dirs', `
|
||||
gen_require(`
|
||||
type cgroup_t;
|
||||
')
|
||||
|
||||
allow $1 cgroup_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount on cgroup directories.
|
||||
|
@ -83,8 +83,10 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
|
||||
/var/lib/containerd/[^/]+/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
/var/lib/containerd/[^/]+/snapshots(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
|
||||
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
||||
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/kubelet/device-plugins(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/kubelet/plugins(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
/var/lib/kubelet/plugins_registry(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
||||
|
@ -609,6 +609,28 @@ interface(`container_domtrans',`
|
||||
allow $1 container_domain:process transition;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to a system container engine
|
||||
## domain over a unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_stream_connect_system_engine',`
|
||||
gen_require(`
|
||||
attribute container_engine_system_domain;
|
||||
type container_runtime_t;
|
||||
')
|
||||
|
||||
files_search_runtime($1)
|
||||
stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_engine_system_domain)
|
||||
allow $1 container_runtime_t:sock_file read_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to a system container domain
|
||||
@ -750,6 +772,45 @@ interface(`container_mountpoint',`
|
||||
typeattribute $1 container_mountpoint_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to
|
||||
## read container config files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_read_config',`
|
||||
gen_require(`
|
||||
type container_config_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, container_config_t, container_config_t)
|
||||
read_files_pattern($1, container_config_t, container_config_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to
|
||||
## watch container config directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_watch_config_dirs',`
|
||||
gen_require(`
|
||||
type container_config_t;
|
||||
')
|
||||
|
||||
allow $1 container_config_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to
|
||||
@ -847,6 +908,25 @@ interface(`container_manage_dirs',`
|
||||
manage_dirs_pattern($1, container_file_t, container_file_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to
|
||||
## watch container file directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_watch_dirs',`
|
||||
gen_require(`
|
||||
type container_file_t;
|
||||
')
|
||||
|
||||
allow $1 container_file_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to
|
||||
@ -866,6 +946,44 @@ interface(`container_manage_files',`
|
||||
manage_files_pattern($1, container_file_t, container_file_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to relabel
|
||||
## container file directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_dontaudit_relabel_dirs',`
|
||||
gen_require(`
|
||||
type container_file_t;
|
||||
')
|
||||
|
||||
dontaudit $1 container_file_t:dir { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to relabel
|
||||
## container files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_dontaudit_relabel_files',`
|
||||
gen_require(`
|
||||
type container_file_t;
|
||||
')
|
||||
|
||||
dontaudit $1 container_file_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to
|
||||
@ -980,6 +1098,62 @@ interface(`container_manage_chr_files',`
|
||||
manage_chr_files_pattern($1, container_file_t, container_file_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to create
|
||||
## objects in specified directories with
|
||||
## an automatic type transition to the
|
||||
## container file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Directory to transition on.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="object">
|
||||
## <summary>
|
||||
## The object class of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="name" optional="true">
|
||||
## <summary>
|
||||
## The name of the object being created.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_spec_filetrans_file',`
|
||||
gen_require(`
|
||||
type container_file_t;
|
||||
')
|
||||
|
||||
filetrans_pattern($1, $2, container_file_t, $3, $4)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to list
|
||||
## the contents of read-only container
|
||||
## file directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_list_ro_dirs',`
|
||||
gen_require(`
|
||||
type container_ro_file_t;
|
||||
')
|
||||
|
||||
allow $1 container_ro_file_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to
|
||||
@ -1293,6 +1467,46 @@ interface(`container_search_runtime',`
|
||||
allow $1 container_runtime_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
## runtime container files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_read_runtime_files',`
|
||||
gen_require(`
|
||||
type container_runtime_t;
|
||||
')
|
||||
|
||||
files_search_runtime($1)
|
||||
allow $1 container_runtime_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to get
|
||||
## the attributes runtime container of
|
||||
## container runtime named sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_getattr_runtime_sock_files',`
|
||||
gen_require(`
|
||||
type container_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 container_runtime_t:sock_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
@ -1331,6 +1545,25 @@ interface(`container_manage_runtime_fifo_files',`
|
||||
manage_fifo_files_pattern($1, container_runtime_t, container_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
## runtime container symlinks.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_manage_runtime_lnk_files',`
|
||||
gen_require(`
|
||||
type container_runtime_t;
|
||||
')
|
||||
|
||||
manage_lnk_files_pattern($1, container_runtime_t, container_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
@ -1408,6 +1641,46 @@ interface(`container_search_var_lib',`
|
||||
allow $1 container_var_lib_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to list
|
||||
## the contents of container directories
|
||||
## in /var/lib.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_list_var_lib',`
|
||||
gen_require(`
|
||||
type container_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 container_var_lib_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
## container file directories in /var/lib.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_manage_var_lib_dirs',`
|
||||
gen_require(`
|
||||
type container_var_lib_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
@ -1498,6 +1771,101 @@ interface(`container_unlabeled_var_lib_filetrans',`
|
||||
kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
## container log file directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_manage_log_dirs',`
|
||||
gen_require(`
|
||||
type container_log_t;
|
||||
')
|
||||
|
||||
allow $1 container_log_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to create
|
||||
## container log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_create_log_files',`
|
||||
gen_require(`
|
||||
type container_log_t;
|
||||
')
|
||||
|
||||
create_files_pattern($1, container_log_t, container_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to append
|
||||
## data to container log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_append_log_files',`
|
||||
gen_require(`
|
||||
type container_log_t;
|
||||
')
|
||||
|
||||
allow $1 container_log_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
## container log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_manage_log_files',`
|
||||
gen_require(`
|
||||
type container_log_t;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, container_log_t, container_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
## container log symlinks.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`container_manage_log_symlinks',`
|
||||
gen_require(`
|
||||
type container_log_t;
|
||||
')
|
||||
|
||||
manage_lnk_files_pattern($1, container_log_t, container_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to start
|
||||
|
19
policy/modules/services/kubernetes.fc
Normal file
19
policy/modules/services/kubernetes.fc
Normal file
@ -0,0 +1,19 @@
|
||||
HOME_DIR/\.kube(/.*)? gen_context(system_u:object_r:kubernetes_home_t,s0)
|
||||
|
||||
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_config_t,s0)
|
||||
|
||||
/usr/bin/kubelet -- gen_context(system_u:object_r:kubelet_exec_t,s0)
|
||||
/usr/bin/kubeadm -- gen_context(system_u:object_r:kubeadm_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/[^/]*kubelet.* -- gen_context(system_u:object_r:kubernetes_unit_t,s0)
|
||||
|
||||
/var/lib/calico(/.*)? gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
|
||||
/var/lib/etcd(/.*)? gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
|
||||
/var/lib/kube-proxy(/.*)? gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
|
||||
/var/lib/kubelet(/.*)? gen_context(system_u:object_r:kubernetes_var_lib_t,s0)
|
||||
|
||||
/var/log/kubelet(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
|
||||
/var/log/kube-apiserver(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
|
||||
/var/log/kube-controller-manager(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
|
||||
/var/log/kube-proxy(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
|
||||
/var/log/kube-scheduler(/.*)? gen_context(system_u:object_r:kubernetes_log_t,s0)
|
238
policy/modules/services/kubernetes.if
Normal file
238
policy/modules/services/kubernetes.if
Normal file
@ -0,0 +1,238 @@
|
||||
## <summary>policy for kubernetes</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Execute kubelet in the kubelet domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_domtrans_kubelet',`
|
||||
gen_require(`
|
||||
type kubelet_t, kubelet_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, kubelet_exec_t, kubelet_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute kubelet in the kubelet domain,
|
||||
## and allow the specified role the
|
||||
## kubelet domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the kubelet domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_run_kubelet',`
|
||||
gen_require(`
|
||||
type kubelet_t;
|
||||
')
|
||||
|
||||
role $2 types kubelet_t;
|
||||
|
||||
kubernetes_domtrans_kubelet($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Execute kubeadm in the kubeadm domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_domtrans_kubeadm',`
|
||||
gen_require(`
|
||||
type kubeadm_t, kubeadm_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, kubeadm_exec_t, kubeadm_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute kubeadm in the kubeadm domain,
|
||||
## and allow the specified role the
|
||||
## kubeadm domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the kubeadm domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_run_kubeadm',`
|
||||
gen_require(`
|
||||
type kubeadm_t;
|
||||
')
|
||||
|
||||
role $2 types kubeadm_t;
|
||||
|
||||
kubernetes_domtrans_kubeadm($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search kubernetes directories in /var/lib.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_search_var_lib',`
|
||||
gen_require(`
|
||||
type kubernetes_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
allow $1 kubernetes_var_lib_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the status of kubernetes systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_get_unit_status',`
|
||||
gen_require(`
|
||||
type kubernetes_unit_t;
|
||||
class service status;
|
||||
')
|
||||
|
||||
allow $1 kubernetes_unit_t:service status;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Start kubernetes systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_start_unit',`
|
||||
gen_require(`
|
||||
type kubernetes_unit_t;
|
||||
class service start;
|
||||
')
|
||||
|
||||
allow $1 kubernetes_unit_t:service start;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Stop kubernetes systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_stop_unit',`
|
||||
gen_require(`
|
||||
type kubernetes_unit_t;
|
||||
class service stop;
|
||||
')
|
||||
|
||||
allow $1 kubernetes_unit_t:service stop;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Reload kubernetes systemd units.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_reload_unit',`
|
||||
gen_require(`
|
||||
type kubernetes_unit_t;
|
||||
class service reload;
|
||||
')
|
||||
|
||||
allow $1 kubernetes_unit_t:service reload;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## a kubernetes environment.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`kubernetes_admin',`
|
||||
gen_require(`
|
||||
type kubeadm_t, kubelet_t;
|
||||
type kubernetes_config_t, kubernetes_tmpfs_t;
|
||||
type kubernetes_runtime_t, kubernetes_var_lib_t;
|
||||
type kubernetes_log_t;
|
||||
')
|
||||
|
||||
kubernetes_run_kubeadm($1, $2)
|
||||
kubernetes_run_kubelet($1, $2)
|
||||
|
||||
allow $1 kubeadm_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, kubeadm_t)
|
||||
|
||||
allow $1 kubelet_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, kubelet_t)
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, kubernetes_config_t)
|
||||
|
||||
fs_search_tmpfs($1)
|
||||
admin_pattern($1, kubernetes_tmpfs_t)
|
||||
|
||||
files_search_runtime($1)
|
||||
admin_pattern($1, kubernetes_runtime_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, kubernetes_var_lib_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, kubernetes_log_t)
|
||||
')
|
292
policy/modules/services/kubernetes.te
Normal file
292
policy/modules/services/kubernetes.te
Normal file
@ -0,0 +1,292 @@
|
||||
policy_module(kubernetes)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute_role kubernetes_roles;
|
||||
roleattribute system_r kubernetes_roles;
|
||||
|
||||
type kubelet_t;
|
||||
type kubelet_exec_t;
|
||||
domain_type(kubelet_t)
|
||||
container_engine_executable_file(kubelet_exec_t)
|
||||
init_daemon_domain(kubelet_t, kubelet_exec_t)
|
||||
role kubernetes_roles types kubelet_t;
|
||||
|
||||
type kubeadm_t;
|
||||
type kubeadm_exec_t;
|
||||
application_domain(kubeadm_t, kubeadm_exec_t)
|
||||
role kubernetes_roles types kubeadm_t;
|
||||
|
||||
type kubernetes_config_t;
|
||||
files_config_file(kubernetes_config_t)
|
||||
|
||||
type kubernetes_tmpfs_t;
|
||||
files_tmpfs_file(kubernetes_tmpfs_t)
|
||||
|
||||
type kubernetes_runtime_t;
|
||||
files_runtime_file(kubernetes_runtime_t)
|
||||
|
||||
type kubernetes_var_lib_t;
|
||||
files_type(kubernetes_var_lib_t)
|
||||
|
||||
type kubernetes_log_t;
|
||||
logging_log_file(kubernetes_log_t)
|
||||
|
||||
type kubernetes_unit_t;
|
||||
init_unit_file(kubernetes_unit_t)
|
||||
|
||||
type kubernetes_home_t;
|
||||
xdg_config_content(kubernetes_home_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# kubelet local policy
|
||||
#
|
||||
|
||||
allow kubelet_t self:process { getattr getsched setrlimit signal };
|
||||
allow kubelet_t self:capability { chown dac_read_search net_raw sys_ptrace sys_resource };
|
||||
dontaudit kubelet_t self:capability net_admin;
|
||||
allow kubelet_t self:cap_userns sys_ptrace;
|
||||
allow kubelet_t self:fifo_file rw_fifo_file_perms;
|
||||
allow kubelet_t self:rawip_socket create_socket_perms;
|
||||
allow kubelet_t self:tcp_socket create_stream_socket_perms;
|
||||
allow kubelet_t self:unix_dgram_socket create_socket_perms;
|
||||
allow kubelet_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||
|
||||
allow kubelet_t kubernetes_config_t:dir { list_dir_perms watch };
|
||||
allow kubelet_t kubernetes_config_t:file { read_file_perms watch };
|
||||
allow kubelet_t kubernetes_config_t:lnk_file read_lnk_file_perms;
|
||||
files_etc_filetrans(kubelet_t, kubernetes_config_t, dir)
|
||||
|
||||
allow kubelet_t kubernetes_tmpfs_t:dir manage_dir_perms;
|
||||
allow kubelet_t kubernetes_tmpfs_t:file manage_file_perms;
|
||||
allow kubelet_t kubernetes_tmpfs_t:lnk_file manage_lnk_file_perms;
|
||||
fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
|
||||
|
||||
allow kubelet_t kubernetes_runtime_t:dir manage_dir_perms;
|
||||
allow kubelet_t kubernetes_runtime_t:file manage_file_perms;
|
||||
allow kubelet_t kubernetes_runtime_t:sock_file manage_sock_file_perms;
|
||||
files_runtime_filetrans(kubelet_t, kubernetes_runtime_t, { dir file sock_file })
|
||||
|
||||
allow kubelet_t kubernetes_var_lib_t:dir manage_dir_perms;
|
||||
allow kubelet_t kubernetes_var_lib_t:file manage_file_perms;
|
||||
allow kubelet_t kubernetes_var_lib_t:lnk_file manage_lnk_file_perms;
|
||||
allow kubelet_t kubernetes_var_lib_t:sock_file manage_sock_file_perms;
|
||||
files_var_lib_filetrans(kubelet_t, kubernetes_var_lib_t, dir)
|
||||
container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "device-plugins")
|
||||
container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "pods")
|
||||
container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "plugins")
|
||||
container_spec_filetrans_file(kubelet_t, kubernetes_var_lib_t, dir, "plugins_registry")
|
||||
|
||||
logging_log_filetrans(kubelet_t, kubernetes_log_t, { dir file })
|
||||
|
||||
corenet_tcp_bind_generic_node(kubelet_t)
|
||||
|
||||
corenet_tcp_bind_kubernetes_port(kubelet_t)
|
||||
corenet_tcp_connect_kubernetes_port(kubelet_t)
|
||||
|
||||
corecmd_search_bin(kubelet_t)
|
||||
corecmd_watch_bin_dirs(kubelet_t)
|
||||
corecmd_exec_bin(kubelet_t)
|
||||
|
||||
dev_getattr_mtrr_dev(kubelet_t)
|
||||
dev_read_kmsg(kubelet_t)
|
||||
dev_read_sysfs(kubelet_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state(kubelet_t)
|
||||
domain_setpriority_all_domains(kubelet_t)
|
||||
|
||||
files_dontaudit_getattr_all_dirs(kubelet_t)
|
||||
files_dontaudit_search_mnt(kubelet_t)
|
||||
files_dontaudit_search_tmp(kubelet_t)
|
||||
files_read_kernel_symbol_table(kubelet_t)
|
||||
# read /usr/share/mime/globs2
|
||||
files_read_usr_files(kubelet_t)
|
||||
|
||||
fs_getattr_tmpfs(kubelet_t)
|
||||
fs_search_tmpfs(kubelet_t)
|
||||
fs_getattr_xattr_fs(kubelet_t)
|
||||
fs_getattr_cgroup(kubelet_t)
|
||||
fs_list_cgroup_dirs(kubelet_t)
|
||||
fs_watch_cgroup_dirs(kubelet_t)
|
||||
fs_rw_cgroup_files(kubelet_t)
|
||||
|
||||
kernel_getattr_message_if(kubelet_t)
|
||||
kernel_read_ring_buffer(kubelet_t)
|
||||
kernel_read_irq_sysctls(kubelet_t)
|
||||
kernel_read_network_state(kubelet_t)
|
||||
kernel_read_system_state(kubelet_t)
|
||||
kernel_rw_kernel_sysctl(kubelet_t)
|
||||
kernel_rw_net_sysctls(kubelet_t)
|
||||
kernel_rw_vm_overcommit_sysctl(kubelet_t)
|
||||
kernel_dontaudit_getattr_proc(kubelet_t)
|
||||
|
||||
storage_getattr_fixed_disk_dev(kubelet_t)
|
||||
|
||||
auth_use_nsswitch(kubelet_t)
|
||||
|
||||
iptables_domtrans(kubelet_t)
|
||||
iptables_getattr_runtime_files(kubelet_t)
|
||||
|
||||
miscfiles_read_localization(kubelet_t)
|
||||
|
||||
logging_send_syslog_msg(kubelet_t)
|
||||
|
||||
modutils_domtrans(kubelet_t)
|
||||
|
||||
mount_domtrans(kubelet_t)
|
||||
|
||||
seutil_read_default_contexts(kubelet_t)
|
||||
|
||||
userdom_dontaudit_search_user_runtime_root(kubelet_t)
|
||||
|
||||
dbus_list_system_bus_runtime(kubelet_t)
|
||||
dbus_system_bus_client(kubelet_t)
|
||||
|
||||
container_read_config(kubelet_t)
|
||||
container_getattr_fs(kubelet_t)
|
||||
# read /run/docker.pid
|
||||
container_read_runtime_files(kubelet_t)
|
||||
# connect to docker, podman, etc.
|
||||
container_stream_connect_system_engine(kubelet_t)
|
||||
|
||||
container_list_var_lib(kubelet_t)
|
||||
container_manage_dirs(kubelet_t)
|
||||
container_manage_files(kubelet_t)
|
||||
container_manage_lnk_files(kubelet_t)
|
||||
container_manage_sock_files(kubelet_t)
|
||||
container_watch_dirs(kubelet_t)
|
||||
container_list_ro_dirs(kubelet_t)
|
||||
|
||||
container_manage_log_dirs(kubelet_t)
|
||||
container_manage_log_files(kubelet_t)
|
||||
container_manage_log_symlinks(kubelet_t)
|
||||
|
||||
# kubelet will preemptively relabel container
|
||||
# files to the same label even if the labels
|
||||
# are correct, so just dontaudit these
|
||||
container_dontaudit_relabel_dirs(kubelet_t)
|
||||
container_dontaudit_relabel_files(kubelet_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_dbus_chat(kubelet_t)
|
||||
|
||||
init_start_system(kubelet_t)
|
||||
init_get_transient_units_status(kubelet_t)
|
||||
init_start_transient_units(kubelet_t)
|
||||
init_stop_transient_units(kubelet_t)
|
||||
|
||||
kubernetes_get_unit_status(kubelet_t)
|
||||
kubernetes_start_unit(kubelet_t)
|
||||
kubernetes_stop_unit(kubelet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
docker_read_state(kubelet_t)
|
||||
docker_write_state(kubelet_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kubeadm local policy
|
||||
#
|
||||
|
||||
allow kubeadm_t self:process { getsched signal };
|
||||
dontaudit kubeadm_t self:capability net_admin;
|
||||
allow kubeadm_t self:fifo_file rw_fifo_file_perms;
|
||||
allow kubeadm_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow kubeadm_t self:tcp_socket create_stream_socket_perms;
|
||||
allow kubeadm_t self:udp_socket create_socket_perms;
|
||||
allow kubeadm_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
domtrans_pattern(kubeadm_t, kubelet_exec_t, kubelet_t)
|
||||
ps_process_pattern(kubeadm_t, kubelet_t)
|
||||
|
||||
manage_dirs_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
|
||||
manage_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
|
||||
manage_lnk_files_pattern(kubeadm_t, kubernetes_config_t, kubernetes_config_t)
|
||||
|
||||
allow kubeadm_t kubernetes_var_lib_t:dir manage_dir_perms;
|
||||
allow kubeadm_t kubernetes_var_lib_t:file manage_file_perms;
|
||||
allow kubeadm_t kubernetes_var_lib_t:lnk_file manage_lnk_file_perms;
|
||||
allow kubeadm_t kubernetes_var_lib_t:sock_file manage_sock_file_perms;
|
||||
files_var_lib_filetrans(kubeadm_t, kubernetes_var_lib_t, dir)
|
||||
|
||||
allow kubeadm_t kubernetes_home_t:dir search_dir_perms;
|
||||
allow kubeadm_t kubernetes_home_t:file read_file_perms;
|
||||
allow kubeadm_t kubernetes_home_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
corenet_tcp_bind_generic_node(kubeadm_t)
|
||||
|
||||
corenet_tcp_connect_http_port(kubeadm_t)
|
||||
corenet_tcp_bind_kubernetes_port(kubeadm_t)
|
||||
corenet_tcp_connect_kubernetes_port(kubeadm_t)
|
||||
|
||||
corecmd_getattr_all_executables(kubeadm_t)
|
||||
corecmd_exec_bin(kubeadm_t)
|
||||
|
||||
domain_use_interactive_fds(kubeadm_t)
|
||||
|
||||
files_read_boot_files(kubeadm_t)
|
||||
files_read_etc_files(kubeadm_t)
|
||||
|
||||
fs_getattr_tmpfs(kubeadm_t)
|
||||
fs_getattr_xattr_fs(kubeadm_t)
|
||||
fs_getattr_cgroup(kubeadm_t)
|
||||
fs_search_cgroup_dirs(kubeadm_t)
|
||||
fs_read_cgroup_files(kubeadm_t)
|
||||
|
||||
kernel_read_network_state(kubeadm_t)
|
||||
kernel_read_system_state(kubeadm_t)
|
||||
kernel_read_net_sysctls(kubeadm_t)
|
||||
kernel_read_kernel_sysctls(kubeadm_t)
|
||||
kernel_dontaudit_getattr_proc(kubeadm_t)
|
||||
|
||||
auth_use_nsswitch(kubeadm_t)
|
||||
|
||||
init_read_state(kubeadm_t)
|
||||
init_write_runtime_socket(kubeadm_t)
|
||||
|
||||
logging_search_logs(kubeadm_t)
|
||||
|
||||
miscfiles_read_generic_certs(kubeadm_t)
|
||||
miscfiles_read_localization(kubeadm_t)
|
||||
|
||||
userdom_search_user_home_content(kubeadm_t)
|
||||
userdom_use_user_terminals(kubeadm_t)
|
||||
userdom_lock_user_terminals(kubeadm_t)
|
||||
|
||||
# getattr on /run/docker.sock
|
||||
container_getattr_runtime_sock_files(kubeadm_t)
|
||||
# for connecting to cri-o and maybe others
|
||||
container_stream_connect_system_engine(kubeadm_t)
|
||||
|
||||
container_list_var_lib(kubeadm_t)
|
||||
container_manage_var_lib_dirs(kubeadm_t)
|
||||
container_manage_var_lib_files(kubeadm_t)
|
||||
container_manage_dirs(kubeadm_t)
|
||||
container_manage_files(kubeadm_t)
|
||||
container_manage_lnk_files(kubeadm_t)
|
||||
container_manage_sock_files(kubeadm_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_get_system_status(kubeadm_t)
|
||||
init_reload(kubeadm_t)
|
||||
|
||||
init_get_generic_units_status(kubeadm_t)
|
||||
|
||||
kubernetes_get_unit_status(kubeadm_t)
|
||||
kubernetes_start_unit(kubeadm_t)
|
||||
kubernetes_stop_unit(kubeadm_t)
|
||||
|
||||
systemd_list_journal_dirs(kubeadm_t)
|
||||
systemd_read_journal_files(kubeadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
docker_domtrans_cli(kubeadm_t)
|
||||
docker_read_state(kubeadm_t)
|
||||
')
|
@ -162,6 +162,24 @@ interface(`iptables_manage_config',`
|
||||
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of iptables runtime files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`iptables_getattr_runtime_files',`
|
||||
gen_require(`
|
||||
type iptables_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 iptables_runtime_t:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit reading iptables_runtime_t (Deprecated)
|
||||
|
@ -4292,6 +4292,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
|
||||
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Lock user TTYs and PTYs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_lock_user_terminals',`
|
||||
gen_require(`
|
||||
type user_tty_device_t, user_devpts_t;
|
||||
')
|
||||
|
||||
allow $1 user_tty_device_t:chr_file lock;
|
||||
allow $1 user_devpts_t:chr_file lock;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a shell in all user domains. This
|
||||
|
Loading…
Reference in New Issue
Block a user