kubernetes: allow kubelet to apply fsGroup to persistent volumes

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

2 files changed, 23 insertions, 0 deletions

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 7a2df280d..85b4da0c3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3492,6 +3492,25 @@ interface(`kernel_relabelfrom_unlabeled_chr_devs',`
 
 ########################################
 ## <summary>
+##	Allow caller set the attributes on all unlabeled
+##	directory and file objects.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_setattr_all_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir_file_class_set setattr;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from an
 ##	unlabeled IPSEC association.
 ## </summary>
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 0f5f67697..58292de85 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -307,6 +307,10 @@ kernel_read_vm_sysctls(kubelet_t)
 kernel_rw_kernel_sysctl(kubelet_t)
 kernel_rw_net_sysctls(kubelet_t)
 kernel_rw_vm_overcommit_sysctl(kubelet_t)
+# for recursive chown on persistent volumes that
+# haven't been relabeled yet (fsGroup)
+kernel_list_unlabeled(kubelet_t)
+kernel_setattr_all_unlabeled(kubelet_t)
 
 storage_getattr_fixed_disk_dev(kubelet_t)
 storage_dontaudit_read_fixed_disk(kubelet_t)