Skip to content

Commit

Permalink
Allow kubelet_t to create a sock file kubelet_var_lib_t
Browse files Browse the repository at this point in the history
We want to allow container_device_plugin_t to communicate
with kublet_t over a kubelet_var_lib_t socket.

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
rhatdan committed Sep 19, 2024
1 parent 25ad643 commit 0c0056f
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
2 changes: 1 addition & 1 deletion container.fc
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)

/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0)
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
Expand Down
12 changes: 12 additions & 0 deletions container.te
Original file line number Diff line number Diff line change
Expand Up @@ -1486,6 +1486,17 @@ application_executable_file(kubelet_exec_t)
can_exec(container_runtime_t, kubelet_exec_t)
allow kubelet_t kubelet_exec_t:file entrypoint;

type kubelet_var_lib_t;
files_type(kubelet_var_lib_t)

manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)

files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources")
filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources")

ifdef(`enable_mcs',`
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
')
Expand Down Expand Up @@ -1524,6 +1535,7 @@ allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
kernel_read_debugfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)
stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t)

# Standard container which needs to be allowed to use any device and
# modify kubelet configuration
Expand Down

0 comments on commit 0c0056f

Please sign in to comment.