selinux-refpolicy/policy/modules/services/crio.te
Kenton Groombridge cd929e846b various: fixes for kubernetes
Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-11-06 18:42:15 -05:00

110 lines
2.8 KiB
Plaintext

policy_module(crio)
########################################
#
# Declarations
#
container_engine_domain_template(crio)
container_system_engine(crio_t)
kubernetes_container_engine(crio_t)
type crio_exec_t;
container_engine_executable_file(crio_exec_t)
init_daemon_domain(crio_t, crio_exec_t)
ifdef(`enable_mls',`
init_ranged_daemon_domain(crio_t, crio_exec_t, s0 - mls_systemhigh)
')
mls_trusted_object(crio_t)
podman_conmon_domain_template(crio, crio_t)
role system_r types crio_conmon_t;
########################################
#
# crio local policy
#
allow crio_t crio_conmon_t:process sigkill;
corecmd_mounton_bin_dirs(crio_t)
dev_dontaudit_getattr_generic_chr_files(crio_t)
files_mounton_kernel_modules_dirs(crio_t)
# mounts on /etc/ca-certificates
files_mounton_etc_dirs(crio_t)
# watch /usr/share/containers/oci/hooks.d
files_watch_usr_dirs(crio_t)
kernel_dgram_send(crio_t)
kernel_read_irq_sysctls(crio_t)
auth_use_nsswitch(crio_t)
iptables_mounton_runtime_files(crio_t)
miscfiles_mounton_generic_cert_dirs(crio_t)
# tries to search for /root/.config/containers/registries.conf
xdg_dontaudit_search_config_dirs(crio_t)
container_watch_config_dirs(crio_t)
# Ensure conmon runs in s0 so that it can talk to the container
podman_spec_rangetrans_conmon(crio_t, s0)
kubernetes_search_config(crio_t)
kubernetes_mounton_config_dirs(crio_t)
kubernetes_mounton_config_files(crio_t)
# kubelet creates tmpfs files that CRI-O will
# relabel to container_file_t
kubernetes_list_tmpfs(crio_t)
kubernetes_relabelfrom_tmpfs_dirs(crio_t)
kubernetes_relabelfrom_tmpfs_files(crio_t)
kubernetes_relabelfrom_tmpfs_symlinks(crio_t)
optional_policy(`
fstools_domtrans(crio_t)
')
########################################
#
# crio conmon local policy
#
allow crio_conmon_t self:capability { kill sys_ptrace sys_resource };
files_search_tmp(crio_conmon_t)
fs_list_cgroup_dirs(crio_conmon_t)
init_rw_inherited_stream_socket(crio_conmon_t)
init_use_fds(crio_conmon_t)
container_kill_all_containers(crio_conmon_t)
container_read_all_container_state(crio_conmon_t)
# for kubernetes debug pods
container_use_container_ptys(crio_conmon_t)
# crio logs are tmp files
container_manage_engine_tmp_files(crio_conmon_t)
container_manage_engine_tmp_sock_files(crio_conmon_t)
container_engine_tmp_filetrans(crio_conmon_t, { file sock_file })
container_manage_runtime_files(crio_conmon_t)
container_manage_runtime_lnk_files(crio_conmon_t)
container_manage_runtime_fifo_files(crio_conmon_t)
container_manage_runtime_sock_files(crio_conmon_t)
container_search_var_lib(crio_conmon_t)
container_manage_var_lib_files(crio_conmon_t)
container_manage_var_lib_fifo_files(crio_conmon_t)
container_manage_var_lib_sock_files(crio_conmon_t)
container_manage_log_files(crio_conmon_t)
kubernetes_getpgid_containers(crio_conmon_t)
kubernetes_kubelet_kill(crio_conmon_t)