Skip to content

Commit

Permalink
Merge pull request #801 from 0xC0ncord/various/20240807
Browse files Browse the repository at this point in the history 
Various fixes
  • Loading branch information
@pebenito
pebenito authored Aug 21, 2024
2 parents 33cfaeb + 2b8fa2b commit faa409e
Show file tree
Hide file tree
Showing 8 changed files with 54 additions and 5 deletions.
18 changes: 18 additions & 0 deletions policy/modules/kernel/filesystem.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -732,6 +732,24 @@ interface(`fs_create_bpf_dirs',`
create_dirs_pattern($1, bpf_t, bpf_t)
')

########################################
## <summary>
## Manage bpf directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_bpf_dirs',`
gen_require(`
type bpf_t;
')

manage_dirs_pattern($1, bpf_t, bpf_t)
')

########################################
## <summary>
## Manage bpf files.
Expand Down
18 changes: 18 additions & 0 deletions policy/modules/kernel/kernel.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2885,6 +2885,24 @@ interface(`kernel_rw_unlabeled_dirs',`
allow $1 unlabeled_t:dir rw_dir_perms;
')

########################################
## <summary>
## Create unlabeled directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_create_unlabeled_dirs',`
gen_require(`
type unlabeled_t;
')

allow $1 unlabeled_t:dir create_dir_perms;
')

########################################
## <summary>
## Delete unlabeled directories.
Expand Down
3 changes: 2 additions & 1 deletion policy/modules/services/container.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,6 +389,7 @@ libs_dontaudit_setattr_lib_files(container_domain)
miscfiles_read_localization(container_domain)
miscfiles_dontaudit_setattr_fonts_cache_dirs(container_domain)
miscfiles_read_fonts(container_domain)
miscfiles_read_generic_certs(container_domain)

mta_dontaudit_read_spool_symlinks(container_domain)

Expand Down Expand Up @@ -1084,7 +1085,7 @@ fs_mounton_cgroup(spc_t)
fs_manage_cgroup_dirs(spc_t)
fs_manage_cgroup_files(spc_t)
fs_mount_bpf(spc_t)
fs_create_bpf_dirs(spc_t)
fs_manage_bpf_dirs(spc_t)
fs_manage_bpf_files(spc_t)
fs_manage_bpf_symlinks(spc_t)
fs_mounton_fusefs(spc_t)
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/services/dbus.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -295,7 +295,7 @@ optional_policy(`
# Common session bus local policy
#

dontaudit session_bus_type self:capability sys_resource;
dontaudit session_bus_type self:capability { net_admin sys_resource };
allow session_bus_type self:process { getattr sigkill signal };
dontaudit session_bus_type self:process { ptrace setrlimit };
allow session_bus_type self:file rw_inherited_file_perms;
Expand Down
4 changes: 4 additions & 0 deletions policy/modules/services/haproxy.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ corecmd_search_bin(haproxy_t)

dev_dontaudit_read_sysfs(haproxy_t)

domain_use_interactive_fds(haproxy_t)

kernel_read_kernel_sysctls(haproxy_t)
kernel_read_state(haproxy_t)
kernel_read_system_state(haproxy_t)
Expand All @@ -102,6 +104,8 @@ miscfiles_read_localization(haproxy_t)

logging_send_syslog_msg(haproxy_t)

userdom_use_user_terminals(haproxy_t)

can_exec(haproxy_t, haproxy_exec_t)

tunable_policy(`haproxy_bind_all_tcp_ports',`
Expand Down
7 changes: 4 additions & 3 deletions policy/modules/services/kubernetes.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -249,10 +249,8 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })

corenet_tcp_bind_generic_node(kubelet_t)

corenet_tcp_connect_http_port(kubelet_t)
corenet_tcp_bind_kubernetes_port(kubelet_t)
corenet_tcp_connect_kubernetes_port(kubelet_t)
corenet_tcp_connect_all_unreserved_ports(kubelet_t)
corenet_tcp_connect_all_ports(kubelet_t)

corecmd_exec_bin(kubelet_t)
corecmd_watch_bin_dirs(kubelet_t)
Expand Down Expand Up @@ -313,6 +311,9 @@ kernel_rw_vm_overcommit_sysctl(kubelet_t)
# haven't been relabeled yet (fsGroup)
kernel_list_unlabeled(kubelet_t)
kernel_setattr_all_unlabeled(kubelet_t)
# create subPath mountpoints in a volume that
# hasn't been relabeled yet
kernel_create_unlabeled_dirs(kubelet_t)

storage_getattr_fixed_disk_dev(kubelet_t)
storage_dontaudit_read_fixed_disk(kubelet_t)
Expand Down
6 changes: 6 additions & 0 deletions policy/modules/services/podman.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,12 @@ ifdef(`init_systemd',`
# podman auto-update will restart the unit for
# the container when it is updated
container_start_units(podman_t)

# podman auto-update can restart containers created
# via quadlet as well, which are runtime units
init_get_runtime_units_status(podman_t)
init_start_runtime_units(podman_t)
init_stop_runtime_units(podman_t)
')

########################################
Expand Down
1 change: 1 addition & 0 deletions policy/modules/system/iptables.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ domain_use_interactive_fds(iptables_t)

files_read_etc_files(iptables_t)
files_read_etc_runtime_files(iptables_t)
files_read_usr_files(iptables_t)

auth_use_nsswitch(iptables_t)

Expand Down

0 comments on commit faa409e

Please sign in to comment.