kubernetes: allow kubelet to create unlabeled dirs

When kubelet sets up a container that 1) has mountpoints using subPath
directories and 2) has a volume that is newly provisioned and not yet
relabeled, kubelet will create the mountpoint directories on this volume
before relabeling it. Allow kubelet to create these directories.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

2 files changed, 21 insertions, 0 deletions

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index f985a1ca..f1c3098c 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2887,6 +2887,24 @@ interface(`kernel_rw_unlabeled_dirs',`
 
 ########################################
 ## <summary>
+##	Create unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_create_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Delete unlabeled directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 83963502..95d5f9f4 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -311,6 +311,9 @@ kernel_rw_vm_overcommit_sysctl(kubelet_t)
 # haven't been relabeled yet (fsGroup)
 kernel_list_unlabeled(kubelet_t)
 kernel_setattr_all_unlabeled(kubelet_t)
+# create subPath mountpoints in a volume that
+# hasn't been relabeled yet
+kernel_create_unlabeled_dirs(kubelet_t)
 
 storage_getattr_fixed_disk_dev(kubelet_t)
 storage_dontaudit_read_fixed_disk(kubelet_t)