diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-02-10 10:30:21 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:04:57 -0500 |
commit | fa018742b8b23e34325477daddcb6d4a878a3219 (patch) | |
tree | 4515c026c792c1dd8ec58a6eaffaf3c65f080c21 | |
parent | container: allow spc to map kubernetes runtime files (diff) | |
download | hardened-refpolicy-fa018742b8b23e34325477daddcb6d4a878a3219.tar.gz hardened-refpolicy-fa018742b8b23e34325477daddcb6d4a878a3219.tar.bz2 hardened-refpolicy-fa018742b8b23e34325477daddcb6d4a878a3219.zip |
kubernetes: allow kubelet to apply fsGroup to persistent volumes
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/kernel/kernel.if | 19 | ||||
-rw-r--r-- | policy/modules/services/kubernetes.te | 4 |
2 files changed, 23 insertions, 0 deletions
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 7a2df280d..85b4da0c3 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3492,6 +3492,25 @@ interface(`kernel_relabelfrom_unlabeled_chr_devs',` ######################################## ## <summary> +## Allow caller set the attributes on all unlabeled +## directory and file objects. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_setattr_all_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir_file_class_set setattr; +') + +######################################## +## <summary> ## Send and receive messages from an ## unlabeled IPSEC association. ## </summary> diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 0f5f67697..58292de85 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -307,6 +307,10 @@ kernel_read_vm_sysctls(kubelet_t) kernel_rw_kernel_sysctl(kubelet_t) kernel_rw_net_sysctls(kubelet_t) kernel_rw_vm_overcommit_sysctl(kubelet_t) +# for recursive chown on persistent volumes that +# haven't been relabeled yet (fsGroup) +kernel_list_unlabeled(kubelet_t) +kernel_setattr_all_unlabeled(kubelet_t) storage_getattr_fixed_disk_dev(kubelet_t) storage_dontaudit_read_fixed_disk(kubelet_t) |