From f7b4ca04c74787f03942a63c9f24bcdbaa01cd02 Mon Sep 17 00:00:00 2001 From: Talor Itzhak Date: Tue, 24 Sep 2024 16:48:46 +0300 Subject: [PATCH 1/2] selinux: allow access to kubelet_var_lib_t podresources API context has changed to kubelet_var_lib_t: https://github.com/containers/container-selinux/pull/329 Adjust the custom policy to allow access to this new file context. Signed-off-by: Talor Itzhak --- pkg/assets/selinux/assets.go | 6 ++++++ pkg/assets/selinux/policy/ocp_v4.18.cil | 25 +++++++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 pkg/assets/selinux/policy/ocp_v4.18.cil diff --git a/pkg/assets/selinux/assets.go b/pkg/assets/selinux/assets.go index b9b5542d..edc168b1 100644 --- a/pkg/assets/selinux/assets.go +++ b/pkg/assets/selinux/assets.go @@ -16,6 +16,9 @@ const ( ocpVersion413 = "v4.13" ocpVersion414 = "v4.14" ocpVersion415 = "v4.15" + ocpVersion416 = "v4.16" + ocpVersion417 = "v4.17" + ocpVersion418 = "v4.18" ) //go:embed selinuxinstall.service.template @@ -43,6 +46,9 @@ func GetPolicy(ver platform.Version) ([]byte, error) { func knownVersions() []string { return []string{ + ocpVersion418, + ocpVersion417, + ocpVersion416, ocpVersion415, ocpVersion414, ocpVersion413, diff --git a/pkg/assets/selinux/policy/ocp_v4.18.cil b/pkg/assets/selinux/policy/ocp_v4.18.cil new file mode 100644 index 00000000..2913ef3f --- /dev/null +++ b/pkg/assets/selinux/policy/ocp_v4.18.cil @@ -0,0 +1,25 @@ +(block rte + (type process) + (roletype system_r process) + (typeattributeset domain (process)) + ; + ; Giving rte.process the same attributes as container_t + (typeattributeset container_domain (process)) + (typeattributeset container_net_domain (process)) + (typeattributeset svirt_sandbox_domain (process)) + (typeattributeset sandbox_net_domain (process)) + ; MCS is leveraged by container_t and others, like us, to prevent cross-pod communication. + (typeattributeset mcs_constrained_type (process)) + ; + ; Allow access to procfs (also needed by libraries) + (allow process proc_type (file (open read))) + ; + ; Allow to RTE pod access to /run/rte directory + (allow process container_var_run_t (dir (add_name write))) + (allow process container_var_run_t (file (create read write open))) + ; + ; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock + (allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append))) + (allow process kubelet_var_lib_t (sock_file (open getattr read write ioctl lock append))) + (allow process kubelet_t (unix_stream_socket (connectto))) +) From 832a9b0813c5fd01b74fe28ae95a8d3f6887a899 Mon Sep 17 00:00:00 2001 From: Talor Itzhak Date: Wed, 25 Sep 2024 16:48:00 +0300 Subject: [PATCH 2/2] unit-test: add test to much number of versions This test is to make sure that when user adds a cil file for a newer version, he doesn't forget to update the known version slice. Signed-off-by: Talor Itzhak --- pkg/assets/selinux/assets_test.go | 15 ++++++++++++++- pkg/assets/selinux/policy/ocp_v4.17.cil | 24 ++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 pkg/assets/selinux/policy/ocp_v4.17.cil diff --git a/pkg/assets/selinux/assets_test.go b/pkg/assets/selinux/assets_test.go index eb9b8e15..deaf6a6f 100644 --- a/pkg/assets/selinux/assets_test.go +++ b/pkg/assets/selinux/assets_test.go @@ -17,6 +17,7 @@ package selinux import ( + "os" "testing" "github.com/k8stopologyawareschedwg/deployer/pkg/deployer/platform" @@ -32,7 +33,7 @@ func TestGetPolicy(t *testing.T) { testCases := []testCase{ { name: "latest", // at time of writing. Keep me updated! - ver: platform.Version("v4.16"), + ver: platform.Version("v4.18"), expectedError: false, }, { @@ -62,3 +63,15 @@ func TestGetPolicy(t *testing.T) { }) } } + +func TestPolicyDir(t *testing.T) { + numOfVersions := len(knownVersions()) + dir, err := os.ReadDir(policyDir) + if err != nil { + t.Fatal(err) + } + numOfCils := len(dir) + if numOfVersions != numOfCils { + t.Fatalf("number of known version is different than number of cil files. knownVersions=%d, cil files=%d", numOfVersions, numOfCils) + } +} diff --git a/pkg/assets/selinux/policy/ocp_v4.17.cil b/pkg/assets/selinux/policy/ocp_v4.17.cil new file mode 100644 index 00000000..99985d2f --- /dev/null +++ b/pkg/assets/selinux/policy/ocp_v4.17.cil @@ -0,0 +1,24 @@ +(block rte + (type process) + (roletype system_r process) + (typeattributeset domain (process)) + ; + ; Giving rte.process the same attributes as container_t + (typeattributeset container_domain (process)) + (typeattributeset container_net_domain (process)) + (typeattributeset svirt_sandbox_domain (process)) + (typeattributeset sandbox_net_domain (process)) + ; MCS is leveraged by container_t and others, like us, to prevent cross-pod communication. + (typeattributeset mcs_constrained_type (process)) + ; + ; Allow access to procfs (also needed by libraries) + (allow process proc_type (file (open read))) + ; + ; Allow to RTE pod access to /run/rte directory + (allow process container_var_run_t (dir (add_name write))) + (allow process container_var_run_t (file (create read write open))) + ; + ; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock + (allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append))) + (allow process kubelet_t (unix_stream_socket (connectto))) +)