Skip to content

Commit

Permalink
Allow kubelet_t to create a sock file kubelet_var_lib_t
Browse files Browse the repository at this point in the history
We want to allow container_device_plugin_t to communicate
with kublet_t over a kubelet_var_lib_t socket.

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
rhatdan committed Sep 16, 2024
1 parent 45cb5d0 commit 0d2ca1c
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 4 deletions.
2 changes: 1 addition & 1 deletion container.fc
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:
/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)

/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:kubelet_var_lib_t,s0)
/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0)
Expand Down
18 changes: 15 additions & 3 deletions container.te
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.233.0)
policy_module(container, 2.234.0)

gen_require(`
class passwd rootok;
Expand Down Expand Up @@ -1450,13 +1450,13 @@ allow container_engine_t sysctl_t:{dir file} mounton;
allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
allow container_engine_t fusefs_t:file relabelto;
allow container_engine_t kernel_t:system module_request;
allow container_engine_t null_device_t:chr_file { mounton setattr };
allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
allow container_engine_t random_device_t:chr_file mounton;
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
allow container_engine_t urandom_device_t:chr_file mounton;
allow container_engine_t zero_device_t:chr_file mounton;
allow container_engine_t container_file_t:sock_file mounton;
allow container_engine_t container_runtime_tmpfs_t:dir ioctl;
allow container_engine_t container_runtime_tmpfs_t:dir list_dir_perms;

manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)

Expand Down Expand Up @@ -1485,6 +1485,17 @@ application_executable_file(kubelet_exec_t)
can_exec(container_runtime_t, kubelet_exec_t)
allow kubelet_t kubelet_exec_t:file entrypoint;

type kubelet_var_lib_t;
files_type(kubelet_var_lib_t)

manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_sock_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)

files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, sock_file, "kubelet.sock")
filetrans_pattern(kubelet_t, container_var_lib_t, kubelet_var_lib_t, sock_file, "kubelet.sock")

ifdef(`enable_mcs',`
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
')
Expand Down Expand Up @@ -1523,6 +1534,7 @@ allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
kernel_read_debugfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)
stream_connect_pattern(container_device_plugin_t, container_var_lib_t, kubelet_var_lib_t, kubelet_t)

# Standard container which needs to be allowed to use any device and
# modify kubelet configuration
Expand Down

0 comments on commit 0d2ca1c

Please sign in to comment.