From 0c0056ffd8e890673ea4b48df12be111905908ff Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 19 Sep 2024 06:57:49 -0400 Subject: [PATCH] Allow kubelet_t to create a sock file kubelet_var_lib_t We want to allow container_device_plugin_t to communicate with kublet_t over a kubelet_var_lib_t socket. Signed-off-by: Daniel J Walsh --- container.fc | 2 +- container.te | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/container.fc b/container.fc index 91241c7..5904538 100644 --- a/container.fc +++ b/container.fc @@ -131,7 +131,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u: /var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) -/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0) +/var/lib/kubelet/pod-resources(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0) /var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) diff --git a/container.te b/container.te index c588fd2..64f1f2f 100644 --- a/container.te +++ b/container.te @@ -1486,6 +1486,17 @@ application_executable_file(kubelet_exec_t) can_exec(container_runtime_t, kubelet_exec_t) allow kubelet_t kubelet_exec_t:file entrypoint; +type kubelet_var_lib_t; +files_type(kubelet_var_lib_t) + +manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) +manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t) + +files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir, "pod-resources") +filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, dir, "pod-resources") + ifdef(`enable_mcs',` init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh) ') @@ -1524,6 +1535,7 @@ allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; dev_rw_sysfs(container_device_plugin_t) kernel_read_debugfs(container_device_plugin_t) container_kubelet_stream_connect(container_device_plugin_t) +stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t) # Standard container which needs to be allowed to use any device and # modify kubelet configuration