Skip to content

Commit

Permalink
Add support for kubernetes_file_t
Browse files Browse the repository at this point in the history 
Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
@rhatdan
rhatdan committed Aug 12, 2020
1 parent e2d5a9e commit 746ea7a
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 2 deletions.
1 change: 1 addition & 0 deletions container.fc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,3 +112,4 @@

/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0)
3 changes: 2 additions & 1 deletion container.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -490,6 +490,7 @@ interface(`container_filetrans_named_content',`
type container_log_t;
type container_var_run_t;
type container_home_t;
type kubernetes_file_t;
type container_runtime_tmpfs_t;
')

Expand Down Expand Up @@ -530,7 +531,7 @@ interface(`container_filetrans_named_content',`
userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container")
filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers")
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")

files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes")
')

########################################
Expand Down
7 changes: 6 additions & 1 deletion container.te
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.143.0)
policy_module(container, 2.144.0)
gen_require(`
class passwd rootok;
')
Expand Down Expand Up @@ -54,6 +54,9 @@ init_daemon_domain(container_auth_t, container_auth_exec_t)
type spc_var_run_t;
files_pid_file(spc_var_run_t)

type kubernetes_file_t;
files_type(kubernetes_file_t)

type container_var_lib_t alias docker_var_lib_t;
files_type(container_var_lib_t)

Expand Down Expand Up @@ -585,6 +588,8 @@ role system_r types spc_t;
domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
allow container_runtime_domain spc_t:process2 nnp_transition;
admin_pattern(spc_t, kubernetes_file_t)

allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
allow spc_t { container_ro_file_t container_file_t }:system module_load;

Expand Down

0 comments on commit 746ea7a

Please sign in to comment.