various: allow using glusterfs as backing storage for k8s

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-10-02 15:49:55 -04:00
parent 3b3d3715c9
commit d4c5bd96c8
6 changed files with 420 additions and 4 deletions

View File

@ -2583,6 +2583,26 @@ interface(`fs_search_fusefs',`
allow $1 fusefs_t:dir search_dir_perms;
')
########################################
## <summary>
## List the contents of directories
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_list_fusefs',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to list the contents
@ -2602,6 +2622,26 @@ interface(`fs_dontaudit_list_fusefs',`
dontaudit $1 fusefs_t:dir list_dir_perms;
')
########################################
## <summary>
## Set the attributes of directories
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_setattr_fusefs_dirs',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:dir setattr_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete directories
@ -2642,6 +2682,26 @@ interface(`fs_dontaudit_manage_fusefs_dirs',`
dontaudit $1 fusefs_t:dir manage_dir_perms;
')
########################################
## <summary>
## Get the attributes of files on a
## FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_getattr_fusefs_files',`
gen_require(`
type fusefs_t;
')
getattr_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
## Read, a FUSEFS filesystem.
@ -2680,6 +2740,26 @@ interface(`fs_exec_fusefs_files',`
exec_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
## Set the attributes of files on a
## FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_setattr_fusefs_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:file setattr_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete files
@ -2720,6 +2800,26 @@ interface(`fs_dontaudit_manage_fusefs_files',`
dontaudit $1 fusefs_t:file manage_file_perms;
')
########################################
## <summary>
## Get the attributes of symlinks
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_getattr_fusefs_symlinks',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:lnk_file getattr_lnk_file_perms;
')
########################################
## <summary>
## Read symbolic links on a FUSEFS filesystem.
@ -2739,6 +2839,26 @@ interface(`fs_read_fusefs_symlinks',`
read_lnk_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
## Set the attributes of symlinks
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_setattr_fusefs_symlinks',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:lnk_file setattr_lnk_file_perms;
')
########################################
## <summary>
## Manage symlinks on a FUSEFS filesystem.
@ -2758,6 +2878,186 @@ interface(`fs_manage_fusefs_symlinks',`
manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
')
########################################
## <summary>
## Get the attributes of named pipes
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_getattr_fusefs_fifo_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:fifo_file getattr_fifo_file_perms;
')
########################################
## <summary>
## Set the attributes of named pipes
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_setattr_fusefs_fifo_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:fifo_file setattr_fifo_file_perms;
')
########################################
## <summary>
## Manage named pipes on a FUSEFS
## filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_manage_fusefs_fifo_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:fifo_file manage_fifo_file_perms;
')
########################################
## <summary>
## Get the attributes of named sockets
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_getattr_fusefs_sock_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:sock_file getattr_sock_file_perms;
')
########################################
## <summary>
## Set the attributes of named sockets
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_setattr_fusefs_sock_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:sock_file setattr_sock_file_perms;
')
########################################
## <summary>
## Manage named sockets on a FUSEFS
## filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_manage_fusefs_sock_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:sock_file manage_sock_file_perms;
')
########################################
## <summary>
## Get the attributes of character files
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_getattr_fusefs_chr_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:chr_file getattr_chr_file_perms;
')
########################################
## <summary>
## Set the attributes of character files
## on a FUSEFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_setattr_fusefs_chr_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:chr_file setattr_chr_file_perms;
')
########################################
## <summary>
## Manage character files on a FUSEFS
## filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_manage_fusefs_chr_files',`
gen_require(`
type fusefs_t;
')
allow $1 fusefs_t:chr_file manage_chr_file_perms;
')
########################################
## <summary>
## Get the attributes of an hugetlbfs
@ -3242,6 +3542,25 @@ interface(`fs_dontaudit_list_nfs',`
dontaudit $1 nfs_t:dir list_dir_perms;
')
########################################
## <summary>
## Add a watch on directories on an NFS
## filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_watch_nfs_dirs',`
gen_require(`
type nfs_t;
')
allow $1 nfs_t:dir watch;
')
########################################
## <summary>
## Mounton a NFS filesystem.
@ -3397,6 +3716,24 @@ interface(`fs_dontaudit_rw_nfs_files',`
dontaudit $1 nfs_t:file rw_file_perms;
')
########################################
## <summary>
## Add a watch on files on an NFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_watch_nfs_files',`
gen_require(`
type nfs_t;
')
allow $1 nfs_t:file watch;
')
########################################
## <summary>
## Read symbolic links on a NFS filesystem.

View File

@ -276,9 +276,12 @@ files_read_usr_symlinks(container_domain)
fs_getattr_all_fs(container_domain)
fs_list_inotifyfs(container_domain)
# for rootless containers
# for rootless containers and containers using fusefs mounts
fs_manage_fusefs_dirs(container_domain)
fs_manage_fusefs_files(container_domain)
fs_manage_fusefs_chr_files(container_domain)
fs_manage_fusefs_fifo_files(container_domain)
fs_manage_fusefs_sock_files(container_domain)
fs_manage_fusefs_symlinks(container_domain)
fs_exec_fusefs_files(container_domain)
fs_fusefs_entry_type(container_domain)
@ -339,6 +342,8 @@ tunable_policy(`container_use_nfs',`
fs_manage_nfs_named_sockets(container_domain)
fs_read_nfs_symlinks(container_domain)
fs_exec_nfs_files(container_domain)
fs_watch_nfs_dirs(container_domain)
fs_watch_nfs_files(container_domain)
')
tunable_policy(`container_use_samba',`
@ -480,7 +485,7 @@ allow container_engine_domain container_port_t:tcp_socket name_bind;
dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh };
allow container_engine_domain container_domain:process2 { nnp_transition nosuid_transition };
allow container_engine_domain container_mountpoint_type:dir search_dir_perms;
allow container_engine_domain container_mountpoint_type:dir list_dir_perms;
allow container_engine_domain container_mountpoint_type:dir_file_class_set { getattr mounton };
corecmd_bin_entry_type(container_engine_domain)

View File

@ -84,6 +84,25 @@ interface(`glusterfs_use_daemon_fds',`
allow $1 glusterd_t:fd use;
')
########################################
## <summary>
## Search through the contents of gluster brick
## directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`glusterfs_search_bricks',`
gen_require(`
type glusterd_brick_t;
')
allow $1 glusterd_brick_t:dir search_dir_perms;
')
########################################
## <summary>
## All of the rules required to

View File

@ -48,7 +48,7 @@ files_type(glusterd_hook_t)
# Local policy
#
allow glusterd_t self:capability { chown dac_override dac_read_search fowner ipc_lock sys_admin sys_resource };
allow glusterd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock sys_admin sys_ptrace sys_resource };
allow glusterd_t self:process { getsched setrlimit signal signull };
allow glusterd_t self:fifo_file rw_fifo_file_perms;
allow glusterd_t self:tcp_socket create_stream_socket_perms;

View File

@ -82,6 +82,12 @@ files_getattr_kernel_modules(kubernetes_container_engine_domain)
# for replicated storage that may be mounted in /mnt
files_search_mnt(kubernetes_container_engine_domain)
fs_manage_fusefs_dirs(kubernetes_container_engine_domain)
fs_manage_fusefs_files(kubernetes_container_engine_domain)
fs_manage_fusefs_chr_files(kubernetes_container_engine_domain)
fs_manage_fusefs_fifo_files(kubernetes_container_engine_domain)
fs_manage_fusefs_sock_files(kubernetes_container_engine_domain)
fs_manage_fusefs_symlinks(kubernetes_container_engine_domain)
fs_mounton_tmpfs(kubernetes_container_engine_domain)
fs_relabelfrom_tmpfs_dirs(kubernetes_container_engine_domain)
@ -130,6 +136,11 @@ tunable_policy(`container_read_public_content',`
miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
')
tunable_policy(`container_use_nfs',`
fs_getattr_nfs(kubernetes_container_engine_domain)
fs_remount_nfs(kubernetes_container_engine_domain)
')
########################################
#
# common kubernetes container policy
@ -238,6 +249,20 @@ fs_getattr_cgroup(kubelet_t)
fs_manage_cgroup_dirs(kubelet_t)
fs_manage_cgroup_files(kubelet_t)
fs_watch_cgroup_dirs(kubelet_t)
# setattr on fusefs needed to chown on persistent storage
fs_getattr_fusefs(kubelet_t)
fs_list_fusefs(kubelet_t)
fs_setattr_fusefs_dirs(kubelet_t)
fs_getattr_fusefs_files(kubelet_t)
fs_setattr_fusefs_files(kubelet_t)
fs_getattr_fusefs_chr_files(kubelet_t)
fs_setattr_fusefs_chr_files(kubelet_t)
fs_getattr_fusefs_fifo_files(kubelet_t)
fs_setattr_fusefs_fifo_files(kubelet_t)
fs_getattr_fusefs_sock_files(kubelet_t)
fs_setattr_fusefs_sock_files(kubelet_t)
fs_getattr_fusefs_symlinks(kubelet_t)
fs_setattr_fusefs_symlinks(kubelet_t)
kernel_dontaudit_getattr_proc(kubelet_t)
kernel_getattr_message_if(kubelet_t)
@ -319,7 +344,7 @@ container_manage_dirs(kubelet_t)
container_manage_files(kubelet_t)
container_manage_lnk_files(kubelet_t)
container_manage_sock_files(kubelet_t)
container_rw_fifo_files(kubelet_t)
container_manage_fifo_files(kubelet_t)
container_watch_dirs(kubelet_t)
container_list_ro_dirs(kubelet_t)
container_relabel_all_content(kubelet_t)
@ -367,10 +392,21 @@ tunable_policy(`container_use_nfs',`
fs_manage_nfs_symlinks(kubelet_t)
')
optional_policy(`
tunable_policy(`container_use_nfs',`
rpc_read_rpcd_state(kubelet_t)
')
')
optional_policy(`
crio_read_conmon_state(kubelet_t)
')
optional_policy(`
# for mounting volumes on bricks
glusterfs_search_bricks(kubelet_t)
')
########################################
#
# kubeadm local policy

View File

@ -181,6 +181,25 @@ interface(`rpc_initrc_domtrans_rpcd',`
init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
')
########################################
## <summary>
## Read the process state (/proc/pid) of
## rpcd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_read_rpcd_state',`
gen_require(`
type rpcd_t;
')
ps_process_pattern($1, rpcd_t)
')
#######################################
## <summary>
## Inherit and use file descriptors from