1060 lines
21 KiB
Plaintext
1060 lines
21 KiB
Plaintext
## <summary>policy for kubernetes</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for kubectl.
|
|
## </summary>
|
|
## <param name="role_prefix">
|
|
## <summary>
|
|
## The prefix of the user role (e.g., user
|
|
## is the prefix for user_r).
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
## <summary>
|
|
## User domain for the role.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="user_exec_domain">
|
|
## <summary>
|
|
## User exec domain for execute and transition access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`kubernetes_kubectl_role',`
|
|
gen_require(`
|
|
attribute kubectl_domain;
|
|
type kubectl_exec_t;
|
|
type kubernetes_home_t;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type $1_kubectl_t, kubectl_domain;
|
|
userdom_user_application_domain($1_kubectl_t, kubectl_exec_t)
|
|
role $4 types $1_kubectl_t;
|
|
|
|
########################################
|
|
#
|
|
# Policy
|
|
#
|
|
|
|
domtrans_pattern($3, kubectl_exec_t, $1_kubectl_t)
|
|
|
|
allow $2 kubernetes_home_t:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 kubernetes_home_t:file { manage_file_perms relabel_file_perms };
|
|
allow $2 kubernetes_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
userdom_user_home_dir_filetrans($2, kubernetes_home_t, dir, ".kube")
|
|
|
|
allow $3 $1_kubectl_t:process { ptrace signal_perms };
|
|
ps_process_pattern($3, $1_kubectl_t)
|
|
|
|
auth_use_nsswitch($1_kubectl_t)
|
|
|
|
# kubectl executes an editor when editing files.
|
|
# transition back to the user domain when running them
|
|
corecmd_bin_domtrans($1_kubectl_t, $2)
|
|
|
|
optional_policy(`
|
|
systemd_user_app_status($1, $1_kubectl_t)
|
|
')
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Execute kubelet in the kubelet domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_domtrans_kubelet',`
|
|
gen_require(`
|
|
type kubelet_t, kubelet_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, kubelet_exec_t, kubelet_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute kubelet in the kubelet domain,
|
|
## and allow the specified role the
|
|
## kubelet domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed the kubelet domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_run_kubelet',`
|
|
gen_require(`
|
|
type kubelet_t;
|
|
')
|
|
|
|
role $2 types kubelet_t;
|
|
|
|
kubernetes_domtrans_kubelet($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to kubelet over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_stream_connect_kubelet',`
|
|
gen_require(`
|
|
type kubelet_t;
|
|
type kubernetes_runtime_t;
|
|
')
|
|
|
|
files_search_runtime($1)
|
|
stream_connect_pattern($1, kubernetes_runtime_t, kubernetes_runtime_t, kubelet_t)
|
|
allow $1 kubernetes_runtime_t:sock_file read_sock_file_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Read the process state (/proc/pid)
|
|
## of kubelet.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_read_kubelet_state',`
|
|
gen_require(`
|
|
type kubelet_t;
|
|
')
|
|
|
|
ps_process_pattern($1, kubelet_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Inherit and use file descriptors from
|
|
## kubelet.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_use_kubelet_fds',`
|
|
gen_require(`
|
|
type kubelet_t;
|
|
')
|
|
|
|
allow $1 kubelet_t:fd use;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow kubelet to send a kill signal
|
|
## to the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_kubelet_kill',`
|
|
gen_require(`
|
|
type kubelet_t;
|
|
')
|
|
|
|
allow kubelet_t $1:process sigkill;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Execute kubeadm in the kubeadm domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_domtrans_kubeadm',`
|
|
gen_require(`
|
|
type kubeadm_t, kubeadm_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, kubeadm_exec_t, kubeadm_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute kubeadm in the kubeadm domain,
|
|
## and allow the specified role the
|
|
## kubeadm domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed the kubeadm domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_run_kubeadm',`
|
|
gen_require(`
|
|
type kubeadm_t;
|
|
')
|
|
|
|
role $2 types kubeadm_t;
|
|
|
|
kubernetes_domtrans_kubeadm($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Associated the specified domain to
|
|
## be a domain which is capable of
|
|
## operating as a kubernetes container
|
|
## engine.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_container_engine',`
|
|
gen_require(`
|
|
attribute kubernetes_container_engine_domain;
|
|
')
|
|
|
|
typeattribute $1 kubernetes_container_engine_domain;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Associated the specified domain to
|
|
## be a domain which is capable of
|
|
## operating as a container domain
|
|
## which can be spawned by kubernetes.
|
|
## engine.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_container',`
|
|
gen_require(`
|
|
attribute kubernetes_container_domain;
|
|
')
|
|
|
|
typeattribute $1 kubernetes_container_domain;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified file type to be
|
|
## mounted on by kubernetes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_mountpoint',`
|
|
gen_require(`
|
|
attribute kubernetes_mountpoint_type;
|
|
')
|
|
|
|
typeattribute $1 kubernetes_mountpoint_type;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read the process state (/proc/pid) of
|
|
## kubernetes container engines.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_read_container_engine_state',`
|
|
gen_require(`
|
|
attribute kubernetes_container_engine_domain;
|
|
')
|
|
|
|
ps_process_pattern($1, kubernetes_container_engine_domain, kubernetes_container_engine_domain)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search
|
|
## kubernetes container engine keys.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_dontaudit_search_engine_keys',`
|
|
gen_require(`
|
|
attribute kubernetes_container_engine_domain;
|
|
')
|
|
|
|
dontaudit $1 kubernetes_container_engine_domain:key search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to
|
|
## get the process group ID of all
|
|
## kubernetes containers.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_getpgid_containers',`
|
|
gen_require(`
|
|
attribute kubernetes_container_domain;
|
|
')
|
|
|
|
allow $1 kubernetes_container_domain:process getpgid;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Run kubernetes container engine bpf
|
|
## programs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_run_engine_bpf',`
|
|
gen_require(`
|
|
attribute kubernetes_container_engine_domain;
|
|
')
|
|
|
|
allow $1 kubernetes_container_engine_domain:bpf prog_run;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search kubernetes config directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_search_config',`
|
|
gen_require(`
|
|
type kubernetes_config_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 kubernetes_config_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read kubernetes config files and symlinks.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_read_config',`
|
|
gen_require(`
|
|
type kubernetes_config_t;
|
|
')
|
|
|
|
kubernetes_search_config($1)
|
|
allow $1 kubernetes_config_t:file read_file_perms;
|
|
allow $1 kubernetes_config_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mount on kubernetes config directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_mounton_config_dirs',`
|
|
gen_require(`
|
|
type kubernetes_config_t;
|
|
')
|
|
|
|
allow $1 kubernetes_config_t:dir mounton;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to watch
|
|
## kubernetes config directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_watch_config_dirs',`
|
|
gen_require(`
|
|
type kubernetes_config_t;
|
|
')
|
|
|
|
allow $1 kubernetes_config_t:dir watch;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage kubernetes config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_config_files',`
|
|
gen_require(`
|
|
type kubernetes_config_t;
|
|
')
|
|
|
|
manage_files_pattern($1, kubernetes_config_t, kubernetes_config_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mount on kubernetes config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_mounton_config_files',`
|
|
gen_require(`
|
|
type kubernetes_config_t;
|
|
')
|
|
|
|
allow $1 kubernetes_config_t:file mounton;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to watch
|
|
## kubernetes config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_watch_config_files',`
|
|
gen_require(`
|
|
type kubernetes_config_t;
|
|
')
|
|
|
|
allow $1 kubernetes_config_t:file watch;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to search
|
|
## through the contents of kubernetes plugin
|
|
## directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_search_plugin_dirs',`
|
|
gen_require(`
|
|
type kubernetes_plugin_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
allow $1 kubernetes_plugin_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to list
|
|
## the contents of kubernetes plugin
|
|
## directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_list_plugins',`
|
|
gen_require(`
|
|
type kubernetes_plugin_t;
|
|
')
|
|
|
|
allow $1 kubernetes_plugin_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to watch
|
|
## kubernetes plugin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_watch_plugin_dirs',`
|
|
gen_require(`
|
|
type kubernetes_plugin_t;
|
|
')
|
|
|
|
allow $1 kubernetes_plugin_t:dir watch;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to manage
|
|
## kubernetes plugin files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_plugin_files',`
|
|
gen_require(`
|
|
type kubernetes_plugin_t;
|
|
')
|
|
|
|
manage_files_pattern($1, kubernetes_plugin_t, kubernetes_plugin_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage kubernetes runtime directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_runtime_dirs',`
|
|
gen_require(`
|
|
type kubernetes_runtime_t;
|
|
')
|
|
|
|
allow $1 kubernetes_runtime_t:dir manage_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mount on kubernetes runtime directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_mounton_runtime_dirs',`
|
|
gen_require(`
|
|
type kubernetes_runtime_t;
|
|
')
|
|
|
|
allow $1 kubernetes_runtime_t:dir mounton;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage kubernetes runtime files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_runtime_files',`
|
|
gen_require(`
|
|
type kubernetes_runtime_t;
|
|
')
|
|
|
|
allow $1 kubernetes_runtime_t:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Memory map kubernetes runtime files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_map_runtime_files',`
|
|
gen_require(`
|
|
type kubernetes_runtime_t;
|
|
')
|
|
|
|
allow $1 kubernetes_runtime_t:file map;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Watch kubernetes runtime files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_watch_runtime_files',`
|
|
gen_require(`
|
|
type kubernetes_runtime_t;
|
|
')
|
|
|
|
allow $1 kubernetes_runtime_t:file watch;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage kubernetes runtime symlinks.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_runtime_symlinks',`
|
|
gen_require(`
|
|
type kubernetes_runtime_t;
|
|
')
|
|
|
|
allow $1 kubernetes_runtime_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage kubernetes runtime sock files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_runtime_sock_files',`
|
|
gen_require(`
|
|
type kubernetes_runtime_t;
|
|
')
|
|
|
|
allow $1 kubernetes_runtime_t:sock_file manage_sock_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List the contents of kubernetes tmpfs
|
|
## directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_list_tmpfs',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage kubernetes tmpfs directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_tmpfs_dirs',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:dir manage_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Watch kubernetes tmpfs directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_watch_tmpfs_dirs',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:dir watch;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read kubernetes tmpfs files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_read_tmpfs_files',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage kubernetes tmpfs files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_tmpfs_files',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Watch kubernetes tmpfs files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_watch_tmpfs_files',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:file watch;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read kubernetes tmpfs symlinks.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_read_tmpfs_symlinks',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage kubernetes tmpfs symlinks.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_manage_tmpfs_symlinks',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel directories from the kubernetes
|
|
## tmpfs type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_relabelfrom_tmpfs_dirs',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:dir relabelfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel files from the kubernetes tmpfs type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_relabelfrom_tmpfs_files',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:file relabelfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel symlinks from the kubernetes tmpfs type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_relabelfrom_tmpfs_symlinks',`
|
|
gen_require(`
|
|
type kubernetes_tmpfs_t;
|
|
')
|
|
|
|
allow $1 kubernetes_tmpfs_t:lnk_file relabelfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the status of kubernetes systemd units.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_get_unit_status',`
|
|
gen_require(`
|
|
type kubernetes_unit_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 kubernetes_unit_t:service status;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Start kubernetes systemd units.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_start_unit',`
|
|
gen_require(`
|
|
type kubernetes_unit_t;
|
|
class service start;
|
|
')
|
|
|
|
allow $1 kubernetes_unit_t:service start;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Stop kubernetes systemd units.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_stop_unit',`
|
|
gen_require(`
|
|
type kubernetes_unit_t;
|
|
class service stop;
|
|
')
|
|
|
|
allow $1 kubernetes_unit_t:service stop;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Reload kubernetes systemd units.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`kubernetes_reload_unit',`
|
|
gen_require(`
|
|
type kubernetes_unit_t;
|
|
class service reload;
|
|
')
|
|
|
|
allow $1 kubernetes_unit_t:service reload;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## a kubernetes environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`kubernetes_admin',`
|
|
gen_require(`
|
|
type kubeadm_t, kubelet_t, kubectl_t;
|
|
type kubectl_exec_t;
|
|
type kubernetes_config_t, kubernetes_tmp_t;
|
|
type kubernetes_tmpfs_t, kubernetes_runtime_t;
|
|
type kubernetes_home_t;
|
|
')
|
|
|
|
container_admin($1, $2)
|
|
|
|
kubernetes_run_kubeadm($1, $2)
|
|
kubernetes_run_kubelet($1, $2)
|
|
|
|
role $2 types kubectl_t;
|
|
domtrans_pattern($1, kubectl_exec_t, kubectl_t)
|
|
|
|
# kubectl executes an editor when editing files
|
|
# transition back to the user domain when running them
|
|
corecmd_bin_domtrans(kubectl_t, $1)
|
|
allow $1 kubectl_t:fd use;
|
|
allow $1 kubectl_t:fifo_file rw_inherited_fifo_file_perms;
|
|
|
|
allow $1 kubeadm_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, kubeadm_t)
|
|
|
|
allow $1 kubelet_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, kubelet_t)
|
|
|
|
allow $1 kubectl_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, kubectl_t)
|
|
|
|
files_search_etc($1)
|
|
admin_pattern($1, kubernetes_config_t)
|
|
|
|
files_search_runtime($1)
|
|
admin_pattern($1, kubernetes_runtime_t)
|
|
|
|
files_search_tmp($1)
|
|
admin_pattern($1, kubernetes_tmp_t)
|
|
|
|
fs_search_tmpfs($1)
|
|
admin_pattern($1, kubernetes_tmpfs_t)
|
|
|
|
admin_pattern($1, kubernetes_home_t)
|
|
userdom_user_home_dir_filetrans($1, kubernetes_home_t, dir, ".kube")
|
|
|
|
optional_policy(`
|
|
crio_admin($1, $2)
|
|
')
|
|
')
|