From ac7d2dfe4503c9f8504446fb9bf7cfcde2a149a3 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 28 Nov 2024 14:28:15 +0100
Subject: [PATCH] machined permissions

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
---
 .../policy/selinux/common/processes.cil       |  2 ++
 .../policy/selinux/services/machined.cil      | 28 +++++++++++++++++++
 .../selinux/services/system-containers.cil    |  1 -
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil
index 876b639ffd..9efaf06add 100644
--- a/internal/pkg/selinux/policy/selinux/common/processes.cil
+++ b/internal/pkg/selinux/policy/selinux/common/processes.cil
@@ -109,6 +109,8 @@
 (allow any_p proc_sysctl_t (fs_classes (rw)))
 ; Unconfined FS and files
 (allow any_p unconfined_f (fs_classes (rw)))
+; Kernel threads can access anything
+(allow kernel_t any_f (fs_classes (rw)))
 
 ; Own sockets
 (allow any_p self (unix_stream_socket (connectto)))
diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil
index 0e02fc5a71..cbf2be6080 100644
--- a/internal/pkg/selinux/policy/selinux/services/machined.cil
+++ b/internal/pkg/selinux/policy/selinux/services/machined.cil
@@ -61,6 +61,34 @@
 (allow init_t pod_containerd_socket_t (sock_file (write)))
 (allow init_t pod_containerd_t (unix_stream_socket (connectto)))
 
+; Allow access to any file for machined, for ls
+(allow init_t any_f (fs_classes (rw)))
+
+; /dev/console
+(allow init_t kernel_t (system (syslog_console syslog_mod syslog_read)))
+(allow init_t self (capability2 (syslog)))
+(allow init_t kernel_t (fd (use)))
+
+; labeling FS
+(allow init_t tmpfs_t (fs_classes (relabelfrom)))
+(allow init_t run_t (dir (relabelto)))
+(allow init_t system_t (dir (relabelto)))
+(allow init_t etc_t (dir (relabelto)))
+
+(allow init_t system_t (fs_classes (relabelfrom)))
+(allow init_t system_var_t (dir (relabelto)))
+(allow init_t etcd_pki_t (dir (relabelto)))
+(allow init_t kube_apiserver_config_t (dir (relabelto)))
+(allow init_t kube_scheduler_config_t (dir (relabelto)))
+(allow init_t kube_apiserver_secret_t (dir (relabelto)))
+(allow init_t kube_controller_manager_secret_t (dir (relabelto)))
+(allow init_t kube_scheduler_secret_t (dir (relabelto)))
+
+(allow init_t trustd_runtime_socket_t (sock_file (relabelto)))
+
+(allow init_t run_t (fs_classes (relabelfrom)))
+(allow init_t apid_runtime_socket_t (sock_file (relabelto)))
+
 ; rootfs.sqsh
 (allow kernel_t rootfs_t (file (read)))
 
diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil
index e94b0ef838..37976a8ef9 100644
--- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil
+++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil
@@ -22,7 +22,6 @@
 (type trustd_runtime_socket_t)
 (call system_socket_f (trustd_runtime_socket_t))
 (allow trustd_t trustd_runtime_socket_t (sock_file (write)))
-(allow trustd_t trustd_runtime_socket_t (sock_file (relabelto)))
 
 ; Talos installer
 (type installer_t)