From fa018742b8b23e34325477daddcb6d4a878a3219 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sat, 10 Feb 2024 10:30:21 -0500 Subject: kubernetes: allow kubelet to apply fsGroup to persistent volumes Signed-off-by: Kenton Groombridge --- policy/modules/kernel/kernel.if | 19 +++++++++++++++++++ policy/modules/services/kubernetes.te | 4 ++++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 7a2df280d..85b4da0c3 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3490,6 +3490,25 @@ interface(`kernel_relabelfrom_unlabeled_chr_devs',` allow $1 unlabeled_t:chr_file relabelfrom_chr_file_perms; ') +######################################## +## +## Allow caller set the attributes on all unlabeled +## directory and file objects. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_setattr_all_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir_file_class_set setattr; +') + ######################################## ## ## Send and receive messages from an diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 0f5f67697..58292de85 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -307,6 +307,10 @@ kernel_read_vm_sysctls(kubelet_t) kernel_rw_kernel_sysctl(kubelet_t) kernel_rw_net_sysctls(kubelet_t) kernel_rw_vm_overcommit_sysctl(kubelet_t) +# for recursive chown on persistent volumes that +# haven't been relabeled yet (fsGroup) +kernel_list_unlabeled(kubelet_t) +kernel_setattr_all_unlabeled(kubelet_t) storage_getattr_fixed_disk_dev(kubelet_t) storage_dontaudit_read_fixed_disk(kubelet_t) -- cgit v1.2.3-65-gdbad