machined permissions

Signed-off-by: Dmitry Sharshakov <[email protected]>
siderolabs · Nov 28, 2024 · 8ac076a · 8ac076a
1 parent 5bbb248
commit 8ac076a
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 1 deletion.
diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil
@@ -109,6 +109,8 @@
 (allow any_p proc_sysctl_t (fs_classes (rw)))
 ; Unconfined FS and files
 (allow any_p unconfined_f (fs_classes (rw)))
+; Kernel threads can access anything
+(allow kernel_t any_f (fs_classes (rw)))
 
 ; Own sockets
 (allow any_p self (unix_stream_socket (connectto)))
diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil
@@ -61,6 +61,34 @@
 (allow init_t pod_containerd_socket_t (sock_file (write)))
 (allow init_t pod_containerd_t (unix_stream_socket (connectto)))
 
+; Allow access to any file for machined, for ls
+(allow init_t any_f (fs_classes (rw)))
+
+; /dev/console
+(allow init_t kernel_t (system (syslog_console syslog_mod syslog_read)))
+(allow init_t self (capability2 (syslog)))
+(allow init_t kernel_t (fd (use)))
+
+; labeling FS
+(allow init_t tmpfs_t (fs_classes (relabelfrom)))
+(allow init_t run_t (dir (relabelto)))
+(allow init_t system_t (dir (relabelto)))
+(allow init_t etc_t (dir (relabelto)))
+
+(allow init_t system_t (fs_classes (relabelfrom)))
+(allow init_t system_var_t (dir (relabelto)))
+(allow init_t etcd_pki_t (dir (relabelto)))
+(allow init_t kube_apiserver_config_t (dir (relabelto)))
+(allow init_t kube_scheduler_config_t (dir (relabelto)))
+(allow init_t kube_apiserver_secret_t (dir (relabelto)))
+(allow init_t kube_controller_manager_secret_t (dir (relabelto)))
+(allow init_t kube_scheduler_secret_t (dir (relabelto)))
+
+(allow init_t trustd_runtime_socket_t (sock_file (relabelto)))
+
+(allow init_t run_t (fs_classes (relabelfrom)))
+(allow init_t apid_runtime_socket_t (sock_file (relabelto)))
+
 ; rootfs.sqsh
 (allow kernel_t rootfs_t (file (read)))
 

diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil
@@ -22,7 +22,6 @@
 (type trustd_runtime_socket_t)
 (call system_socket_f (trustd_runtime_socket_t))
 (allow trustd_t trustd_runtime_socket_t (sock_file (write)))
-(allow trustd_t trustd_runtime_socket_t (sock_file (relabelto)))
 
 ; Talos installer
 (type installer_t)