various: allow using glusterfs as backing storage for k8s
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge
parent
3b3d3715c9
commit
d4c5bd96c8
@ -2583,6 +2583,26 @@ interface(`fs_search_fusefs',`
|
||||
allow $1 fusefs_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of directories
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_list_fusefs',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to list the contents
|
||||
@ -2602,6 +2622,26 @@ interface(`fs_dontaudit_list_fusefs',`
|
||||
dontaudit $1 fusefs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of directories
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_setattr_fusefs_dirs',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:dir setattr_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete directories
|
||||
@ -2642,6 +2682,26 @@ interface(`fs_dontaudit_manage_fusefs_dirs',`
|
||||
dontaudit $1 fusefs_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of files on a
|
||||
## FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_getattr_fusefs_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
getattr_files_pattern($1, fusefs_t, fusefs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read, a FUSEFS filesystem.
|
||||
@ -2680,6 +2740,26 @@ interface(`fs_exec_fusefs_files',`
|
||||
exec_files_pattern($1, fusefs_t, fusefs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of files on a
|
||||
## FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_setattr_fusefs_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:file setattr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
@ -2720,6 +2800,26 @@ interface(`fs_dontaudit_manage_fusefs_files',`
|
||||
dontaudit $1 fusefs_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of symlinks
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_getattr_fusefs_symlinks',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:lnk_file getattr_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links on a FUSEFS filesystem.
|
||||
@ -2739,6 +2839,26 @@ interface(`fs_read_fusefs_symlinks',`
|
||||
read_lnk_files_pattern($1, fusefs_t, fusefs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of symlinks
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_setattr_fusefs_symlinks',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:lnk_file setattr_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage symlinks on a FUSEFS filesystem.
|
||||
@ -2758,6 +2878,186 @@ interface(`fs_manage_fusefs_symlinks',`
|
||||
manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of named pipes
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_getattr_fusefs_fifo_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:fifo_file getattr_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of named pipes
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_setattr_fusefs_fifo_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:fifo_file setattr_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage named pipes on a FUSEFS
|
||||
## filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_manage_fusefs_fifo_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:fifo_file manage_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of named sockets
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_getattr_fusefs_sock_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:sock_file getattr_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of named sockets
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_setattr_fusefs_sock_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:sock_file setattr_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage named sockets on a FUSEFS
|
||||
## filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_manage_fusefs_sock_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:sock_file manage_sock_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of character files
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_getattr_fusefs_chr_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:chr_file getattr_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of character files
|
||||
## on a FUSEFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_setattr_fusefs_chr_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:chr_file setattr_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage character files on a FUSEFS
|
||||
## filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_manage_fusefs_chr_files',`
|
||||
gen_require(`
|
||||
type fusefs_t;
|
||||
')
|
||||
|
||||
allow $1 fusefs_t:chr_file manage_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of an hugetlbfs
|
||||
@ -3242,6 +3542,25 @@ interface(`fs_dontaudit_list_nfs',`
|
||||
dontaudit $1 nfs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Add a watch on directories on an NFS
|
||||
## filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_watch_nfs_dirs',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mounton a NFS filesystem.
|
||||
@ -3397,6 +3716,24 @@ interface(`fs_dontaudit_rw_nfs_files',`
|
||||
dontaudit $1 nfs_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Add a watch on files on an NFS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_watch_nfs_files',`
|
||||
gen_require(`
|
||||
type nfs_t;
|
||||
')
|
||||
|
||||
allow $1 nfs_t:file watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read symbolic links on a NFS filesystem.
|
||||
|
||||
@ -276,9 +276,12 @@ files_read_usr_symlinks(container_domain)
|
||||
|
||||
fs_getattr_all_fs(container_domain)
|
||||
fs_list_inotifyfs(container_domain)
|
||||
# for rootless containers
|
||||
# for rootless containers and containers using fusefs mounts
|
||||
fs_manage_fusefs_dirs(container_domain)
|
||||
fs_manage_fusefs_files(container_domain)
|
||||
fs_manage_fusefs_chr_files(container_domain)
|
||||
fs_manage_fusefs_fifo_files(container_domain)
|
||||
fs_manage_fusefs_sock_files(container_domain)
|
||||
fs_manage_fusefs_symlinks(container_domain)
|
||||
fs_exec_fusefs_files(container_domain)
|
||||
fs_fusefs_entry_type(container_domain)
|
||||
@ -339,6 +342,8 @@ tunable_policy(`container_use_nfs',`
|
||||
fs_manage_nfs_named_sockets(container_domain)
|
||||
fs_read_nfs_symlinks(container_domain)
|
||||
fs_exec_nfs_files(container_domain)
|
||||
fs_watch_nfs_dirs(container_domain)
|
||||
fs_watch_nfs_files(container_domain)
|
||||
')
|
||||
|
||||
tunable_policy(`container_use_samba',`
|
||||
@ -480,7 +485,7 @@ allow container_engine_domain container_port_t:tcp_socket name_bind;
|
||||
dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh };
|
||||
allow container_engine_domain container_domain:process2 { nnp_transition nosuid_transition };
|
||||
|
||||
allow container_engine_domain container_mountpoint_type:dir search_dir_perms;
|
||||
allow container_engine_domain container_mountpoint_type:dir list_dir_perms;
|
||||
allow container_engine_domain container_mountpoint_type:dir_file_class_set { getattr mounton };
|
||||
|
||||
corecmd_bin_entry_type(container_engine_domain)
|
||||
|
||||
@ -84,6 +84,25 @@ interface(`glusterfs_use_daemon_fds',`
|
||||
allow $1 glusterd_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search through the contents of gluster brick
|
||||
## directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`glusterfs_search_bricks',`
|
||||
gen_require(`
|
||||
type glusterd_brick_t;
|
||||
')
|
||||
|
||||
allow $1 glusterd_brick_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to
|
||||
|
||||
@ -48,7 +48,7 @@ files_type(glusterd_hook_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow glusterd_t self:capability { chown dac_override dac_read_search fowner ipc_lock sys_admin sys_resource };
|
||||
allow glusterd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock sys_admin sys_ptrace sys_resource };
|
||||
allow glusterd_t self:process { getsched setrlimit signal signull };
|
||||
allow glusterd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow glusterd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
@ -82,6 +82,12 @@ files_getattr_kernel_modules(kubernetes_container_engine_domain)
|
||||
# for replicated storage that may be mounted in /mnt
|
||||
files_search_mnt(kubernetes_container_engine_domain)
|
||||
|
||||
fs_manage_fusefs_dirs(kubernetes_container_engine_domain)
|
||||
fs_manage_fusefs_files(kubernetes_container_engine_domain)
|
||||
fs_manage_fusefs_chr_files(kubernetes_container_engine_domain)
|
||||
fs_manage_fusefs_fifo_files(kubernetes_container_engine_domain)
|
||||
fs_manage_fusefs_sock_files(kubernetes_container_engine_domain)
|
||||
fs_manage_fusefs_symlinks(kubernetes_container_engine_domain)
|
||||
fs_mounton_tmpfs(kubernetes_container_engine_domain)
|
||||
fs_relabelfrom_tmpfs_dirs(kubernetes_container_engine_domain)
|
||||
|
||||
@ -130,6 +136,11 @@ tunable_policy(`container_read_public_content',`
|
||||
miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
|
||||
')
|
||||
|
||||
tunable_policy(`container_use_nfs',`
|
||||
fs_getattr_nfs(kubernetes_container_engine_domain)
|
||||
fs_remount_nfs(kubernetes_container_engine_domain)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# common kubernetes container policy
|
||||
@ -238,6 +249,20 @@ fs_getattr_cgroup(kubelet_t)
|
||||
fs_manage_cgroup_dirs(kubelet_t)
|
||||
fs_manage_cgroup_files(kubelet_t)
|
||||
fs_watch_cgroup_dirs(kubelet_t)
|
||||
# setattr on fusefs needed to chown on persistent storage
|
||||
fs_getattr_fusefs(kubelet_t)
|
||||
fs_list_fusefs(kubelet_t)
|
||||
fs_setattr_fusefs_dirs(kubelet_t)
|
||||
fs_getattr_fusefs_files(kubelet_t)
|
||||
fs_setattr_fusefs_files(kubelet_t)
|
||||
fs_getattr_fusefs_chr_files(kubelet_t)
|
||||
fs_setattr_fusefs_chr_files(kubelet_t)
|
||||
fs_getattr_fusefs_fifo_files(kubelet_t)
|
||||
fs_setattr_fusefs_fifo_files(kubelet_t)
|
||||
fs_getattr_fusefs_sock_files(kubelet_t)
|
||||
fs_setattr_fusefs_sock_files(kubelet_t)
|
||||
fs_getattr_fusefs_symlinks(kubelet_t)
|
||||
fs_setattr_fusefs_symlinks(kubelet_t)
|
||||
|
||||
kernel_dontaudit_getattr_proc(kubelet_t)
|
||||
kernel_getattr_message_if(kubelet_t)
|
||||
@ -319,7 +344,7 @@ container_manage_dirs(kubelet_t)
|
||||
container_manage_files(kubelet_t)
|
||||
container_manage_lnk_files(kubelet_t)
|
||||
container_manage_sock_files(kubelet_t)
|
||||
container_rw_fifo_files(kubelet_t)
|
||||
container_manage_fifo_files(kubelet_t)
|
||||
container_watch_dirs(kubelet_t)
|
||||
container_list_ro_dirs(kubelet_t)
|
||||
container_relabel_all_content(kubelet_t)
|
||||
@ -367,10 +392,21 @@ tunable_policy(`container_use_nfs',`
|
||||
fs_manage_nfs_symlinks(kubelet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`container_use_nfs',`
|
||||
rpc_read_rpcd_state(kubelet_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
crio_read_conmon_state(kubelet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for mounting volumes on bricks
|
||||
glusterfs_search_bricks(kubelet_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kubeadm local policy
|
||||
|
||||
@ -181,6 +181,25 @@ interface(`rpc_initrc_domtrans_rpcd',`
|
||||
init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the process state (/proc/pid) of
|
||||
## rpcd.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rpc_read_rpcd_state',`
|
||||
gen_require(`
|
||||
type rpcd_t;
|
||||
')
|
||||
|
||||
ps_process_pattern($1, rpcd_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Inherit and use file descriptors from
|
||||
|
||||
Loading…
Reference in New Issue
Block a user