From cd58aee691e5b70af9fd0a22beb97e635ef981e1 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Fri, 9 Aug 2024 15:08:33 -0400 Subject: container, kubernetes: add supporting rules for kubevirt and multus Signed-off-by: Kenton Groombridge Signed-off-by: Jason Zaman --- policy/modules/services/container.if | 39 +++++++++++++++++++++++++++++++++++ policy/modules/services/container.te | 9 ++++++++ policy/modules/services/kubernetes.te | 2 ++ 3 files changed, 50 insertions(+) diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index ceb9de81..c9f4aa93 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -1207,6 +1207,25 @@ interface(`container_watch_config_dirs',` allow $1 container_config_t:dir watch; ') +######################################## +## +## Allow the specified domain to +## create container config directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_create_config_dirs',` + gen_require(` + type container_config_t; + ') + + create_dirs_pattern($1, container_config_t, container_config_t) +') + ######################################## ## ## Allow the specified domain to @@ -1607,6 +1626,26 @@ interface(`container_list_ro_dirs',` allow $1 container_ro_file_t:dir list_dir_perms; ') +######################################## +## +## Allow the specified domain to get +## the attributes of all read-only +## container file character devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_getattr_all_ro_chr_files',` + gen_require(` + type container_ro_file_t; + ') + + allow $1 container_ro_file_t:chr_file getattr; +') + ######################################## ## ## Allow the specified domain to get diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 66b16e4e..cc700c03 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -224,6 +224,9 @@ container_mountpoint(container_runtime_t) type container_tmpfs_t; files_tmpfs_file(container_tmpfs_t) +type container_tmp_t; +files_tmp_file(container_tmp_t) + type container_log_t; logging_log_file(container_log_t) optional_policy(` @@ -1093,6 +1096,7 @@ container_manage_config_files(spc_t) container_list_plugin_dirs(spc_t) container_manage_plugin_files(spc_t) +container_create_config_dirs(spc_t) container_create_config_files(spc_t) container_rw_config_files(spc_t) @@ -1104,6 +1108,11 @@ container_manage_var_lib_dirs(spc_t) container_manage_var_lib_files(spc_t) container_map_var_lib_files(spc_t) +manage_dirs_pattern(spc_t, container_tmp_t, container_tmp_t) +manage_files_pattern(spc_t, container_tmp_t, container_tmp_t) +files_tmp_filetrans(spc_t, container_tmp_t, { dir file }) + +files_runtime_filetrans(spc_t, container_runtime_t, dir) # for cilium allow spc_t container_config_t:dir watch; allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms; diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 95d5f9f4..787cdae3 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -82,6 +82,7 @@ corenet_tcp_connect_all_ports(kubernetes_container_engine_domain) dev_create_generic_blk_files(kubernetes_container_engine_domain) files_getattr_kernel_modules(kubernetes_container_engine_domain) +files_mounton_runtime_dirs(kubernetes_container_engine_domain) # for replicated storage that may be mounted in /mnt files_search_mnt(kubernetes_container_engine_domain) @@ -411,6 +412,7 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file }) # for metrics and accounting container_getattr_all_files(kubelet_t) container_getattr_all_ro_files(kubelet_t) +container_getattr_all_ro_chr_files(kubelet_t) container_getattr_all_var_lib_files(kubelet_t) ifdef(`init_systemd',` -- cgit v1.2.3-65-gdbad