diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts index 6e34ca45f8..07285e128b 100644 --- a/internal/pkg/selinux/policy/file_contexts +++ b/internal/pkg/selinux/policy/file_contexts @@ -3,7 +3,9 @@ /sbin(/.*)? system_u:object_r:sbin_exec_t:s0 /etc/cni(/.*)? system_u:object_r:cni_conf_t:s0 /opt/cni(/.*)? system_u:object_r:cni_plugin_t:s0 +/usr/lib(/.*)? system_u:object_r:lib_exec_t:s0 /usr/sbin(/.*)? system_u:object_r:sbin_exec_t:s0 +/lib/modules(/.*)? system_u:object_r:module_t:s0 /usr/lib/udev(/.*)? system_u:object_r:udev_exec_t:s0 /etc/kubernetes(/.*)? system_u:object_r:k8s_conf_t:s0 /opt/containerd(/.*)? system_u:object_r:containerd_plugin_t:s0 diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 7a1c7a2827..f409cfe3b1 100644 Binary files a/internal/pkg/selinux/policy/policy.33 and b/internal/pkg/selinux/policy/policy.33 differ diff --git a/internal/pkg/selinux/policy/selinux/common/classmaps.cil b/internal/pkg/selinux/policy/selinux/common/classmaps.cil index fa8a848049..9a0f39fc32 100644 --- a/internal/pkg/selinux/policy/selinux/common/classmaps.cil +++ b/internal/pkg/selinux/policy/selinux/common/classmaps.cil @@ -1,39 +1,31 @@ ; Access to all file classes -(classmap fs_classes (full rw ro)) -(classmapping fs_classes full (filesystem ( - associate - getattr - mount - quotaget - quotamod - relabelfrom - relabelto - remount - unmount - watch -))) -(classmapping fs_classes full (file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (dir ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write - add_name remove_name reparent rmdir search -))) -(classmapping fs_classes full (lnk_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (chr_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (blk_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (sock_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) -(classmapping fs_classes full (fifo_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write -))) +(classmap fs_classes (relabelfrom relabelto mounton rw ro)) +; relabelfrom +(classmapping fs_classes relabelfrom (filesystem (relabelfrom))) +(classmapping fs_classes relabelfrom (file (relabelfrom))) +(classmapping fs_classes relabelfrom (dir (relabelfrom))) +(classmapping fs_classes relabelfrom (lnk_file (relabelfrom))) +(classmapping fs_classes relabelfrom (chr_file (relabelfrom))) +(classmapping fs_classes relabelfrom (blk_file (relabelfrom))) +(classmapping fs_classes relabelfrom (sock_file (relabelfrom))) +(classmapping fs_classes relabelfrom (fifo_file (relabelfrom))) +; relabelto +(classmapping fs_classes relabelto (filesystem (relabelto))) +(classmapping fs_classes relabelto (file (relabelto))) +(classmapping fs_classes relabelto (dir (relabelto))) +(classmapping fs_classes relabelto (lnk_file (relabelto))) +(classmapping fs_classes relabelto (chr_file (relabelto))) +(classmapping fs_classes relabelto (blk_file (relabelto))) +(classmapping fs_classes relabelto (sock_file (relabelto))) +(classmapping fs_classes relabelto (fifo_file (relabelto))) +; mounton +(classmapping fs_classes mounton (file (mounton))) +(classmapping fs_classes mounton (dir (mounton))) +(classmapping fs_classes mounton (lnk_file (mounton))) +(classmapping fs_classes mounton (chr_file (mounton))) +(classmapping fs_classes mounton (blk_file (mounton))) +(classmapping fs_classes mounton (sock_file (mounton))) +(classmapping fs_classes mounton (fifo_file (mounton))) ; rw is full without SELinux management (classmapping fs_classes rw (filesystem ( associate @@ -46,26 +38,26 @@ watch ))) (classmapping fs_classes rw (file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (dir ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write add_name remove_name reparent rmdir search ))) (classmapping fs_classes rw (lnk_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (chr_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (blk_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (sock_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) (classmapping fs_classes rw (fifo_file ( - append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write + append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write ))) ; ro is rw without write and configure (classmapping fs_classes ro (filesystem ( @@ -75,26 +67,26 @@ watch ))) (classmapping fs_classes ro (file ( - append create execmod execute getattr ioctl lock map mounton open quotaon read rename unlink watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (dir ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm search ))) (classmapping fs_classes ro (lnk_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (chr_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (blk_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (sock_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) (classmapping fs_classes ro (fifo_file ( - execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm + execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm ))) ; Netlink socket access @@ -130,3 +122,38 @@ (classmapping netlink_classes full (netlink_scsitransport_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write))) (classmapping netlink_classes full (netlink_rdma_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write))) (classmapping netlink_classes full (netlink_crypto_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write))) + +; Everything except ptrace +(classmap process_classes (full)) +(classmapping process_classes full (process ( + dyntransition + execheap + execmem + execstack + fork + getattr + getcap + getpgid + getsched + getsession + getrlimit + noatsecure + rlimitinh + setcap + setcurrent + setexec + setfscreate + setkeycreate + setpgid + setrlimit + setsched + setsockcreate + share + sigchld + siginh + sigkill + signal + signull + sigstop + transition +))) diff --git a/internal/pkg/selinux/policy/selinux/common/processes.cil b/internal/pkg/selinux/policy/selinux/common/processes.cil new file mode 100644 index 0000000000..9eda8efd93 --- /dev/null +++ b/internal/pkg/selinux/policy/selinux/common/processes.cil @@ -0,0 +1,121 @@ +; Query procfs about self, plus OOM adj and similar writes (controlled by other access control and caps) +; Also FIFO/socket writes for own stuff +(allow any_p self (fs_classes (rw))) +; Read process info +(allow any_p procfs_t (fs_classes (ro))) +; Allow all process actions but ptrace, set* will be guarded by transitions +(allow any_p self (process_classes (full))) + +; Pseudo devices +(allow any_p null_device_t (fs_classes (rw))) + +; All caps, except sys_boot and sys_modules +(allow any_p self (capability ( + audit_control + audit_write + chown + dac_override + dac_read_search + fowner + fsetid + ipc_lock + ipc_owner + kill + lease + linux_immutable + mknod + net_admin + net_bind_service + net_broadcast + net_raw + setfcap + setgid + setpcap + setuid + sys_admin + sys_chroot + sys_nice + sys_pacct + sys_ptrace + sys_rawio + sys_resource + sys_time + sys_tty_config +))) +(allow any_p self (cap_userns ( + audit_control + audit_write + chown + dac_override + dac_read_search + fowner + fsetid + ipc_lock + ipc_owner + kill + lease + linux_immutable + mknod + net_admin + net_bind_service + net_broadcast + net_raw + setfcap + setgid + setpcap + setuid + sys_admin + sys_chroot + sys_nice + sys_pacct + sys_ptrace + sys_rawio + sys_resource + sys_time + sys_tty_config +))) +; All but mac_admin, mac_override and syslog +(allow any_p self (capability2 ( + audit_read + block_suspend + bpf + checkpoint_restore + perfmon + wake_alarm +))) +(allow any_p self (cap2_userns ( + audit_read + block_suspend + bpf + checkpoint_restore + perfmon + wake_alarm +))) + +; Enable (e)BPF for all processes +(allow any_p self (bpf (map_create map_read map_write prog_load prog_run))) + +; Allow init to manage processes +(allow init_t service_p (fs_classes (rw))) +(allow init_t service_p (process_classes (full))) + +; kernel cmdline +(allow system_p proc_cmdline_t (fs_classes (ro))) +(allow system_container_p proc_cmdline_t (fs_classes (ro))) + +; These only run binaries from the squashfs so this shouldn't do harm. +; TODO: eliminate such common permissions +(allow system_p any_f (fs_classes (ro))) +(allow system_container_p any_f (fs_classes (ro))) + +; By default, allow any process to access any device except special ones +(allow any_p common_device_f (fs_classes (rw))) +; CNI, containerd, many different services read and write sysctl parameters +(allow any_p proc_sysctl_t (fs_classes (rw))) +; Unconfined FS and files +(allow any_p unconfined_f (fs_classes (rw))) +; Kernel threads can access anything +(allow kernel_t any_f (fs_classes (rw))) + +; Own sockets +(allow any_p self (unix_stream_socket (connectto))) diff --git a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil index 9288c081a2..9b31857712 100644 --- a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil +++ b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil @@ -36,8 +36,9 @@ (typeattributeset protected_device_f ARG1) ) +(typeattributeset common_device_f device_t) + (typeattribute device_f) -(typeattributeset device_f device_t) (typeattributeset device_f common_device_f) (typeattributeset device_f protected_device_f) @@ -72,6 +73,7 @@ (roletype system_r process_label) (typeattributeset service_p process_label) (typeattributeset service_exec_f executable_label) + (allow process_label executable_label (fs_classes (ro))) (allow process_label executable_label (file (entrypoint execute execute_no_trans))) ) @@ -89,6 +91,7 @@ (typeattribute system_p) (typeattributeset system_p kernel_t) +(typeattributeset system_p initramfs_t) (typeattributeset system_p init_t) (typeattributeset system_p service_p) diff --git a/internal/pkg/selinux/policy/selinux/immutable/fs.cil b/internal/pkg/selinux/policy/selinux/immutable/fs.cil index 90eff2d0b8..f196fcc20c 100644 --- a/internal/pkg/selinux/policy/selinux/immutable/fs.cil +++ b/internal/pkg/selinux/policy/selinux/immutable/fs.cil @@ -23,7 +23,11 @@ (type sysfs_t) (call filesystem_f (sysfs_t)) +(type sys_module_t) +(call filesystem_f (sys_module_t)) + (genfscon sysfs "/" (system_u object_r sysfs_t (systemLow systemLow))) +(genfscon sysfs "/module" (system_u object_r sys_module_t (systemLow systemLow))) (type bpf_t) (call filesystem_f (bpf_t)) @@ -48,9 +52,15 @@ (genfscon proc "/" procfs_t) (genfscon proc "/sysvipc" procfs_t) +(type proc_cmdline_t) +(call filesystem_f (proc_cmdline_t)) +(genfscon proc "/cmdline" (system_u object_r proc_cmdline_t (systemLow systemLow))) + (type proc_sysctl_t) (call filesystem_f (proc_sysctl_t)) (genfscon proc "/sys" (system_u object_r proc_sysctl_t (systemLow systemLow))) +; It matches /sys, yet should not have the same context +(genfscon proc "/sysrq-trigger" procfs_t) (type securityfs_t) (call filesystem_f (securityfs_t)) diff --git a/internal/pkg/selinux/policy/selinux/immutable/preamble.cil b/internal/pkg/selinux/policy/selinux/immutable/preamble.cil index 777a863cf8..08911294a6 100644 --- a/internal/pkg/selinux/policy/selinux/immutable/preamble.cil +++ b/internal/pkg/selinux/policy/selinux/immutable/preamble.cil @@ -8,3 +8,4 @@ (policycap cgroup_seclabel) (policycap nnp_nosuid_transition) (policycap ioctl_skip_cloexec) +(policycap userspace_initial_context) diff --git a/internal/pkg/selinux/policy/selinux/immutable/sids.cil b/internal/pkg/selinux/policy/selinux/immutable/sids.cil index 1ded02c361..8676cd320e 100644 --- a/internal/pkg/selinux/policy/selinux/immutable/sids.cil +++ b/internal/pkg/selinux/policy/selinux/immutable/sids.cil @@ -60,8 +60,12 @@ (sid any_socket) (sidcontext any_socket (system_u object_r unlabeled_t (systemLow systemLow))) + +(type initramfs_t) +(roletype system_r initramfs_t) (sid init) -(sidcontext init (system_u object_r unlabeled_t (systemLow systemLow))) +(sidcontext init (system_u object_r initramfs_t (systemLow systemLow))) + (sid file_labels) (sidcontext file_labels (system_u object_r unlabeled_t (systemLow systemLow))) (sid file) diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index 58440404a1..4959116685 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -4,16 +4,30 @@ (type pod_containerd_socket_t) (call system_socket_f (pod_containerd_socket_t)) +; Shim and client sockets (typetransition pod_containerd_t run_t sock_file pod_containerd_socket_t) +; Transition to pod contexts (allow pod_containerd_t pod_p (process2 (nnp_transition nosuid_transition))) (allow pod_containerd_t pod_p (process (transition))) +; Manage procfs & processes +(allow pod_containerd_t pod_p (fs_classes (rw))) +(allow pod_containerd_t pod_p (process_classes (full))) +(allow pod_p pod_containerd_t (fd (use))) +(allow pod_p pod_containerd_t (fifo_file (append getattr ioctl map open read rename setattr watch write))) + +; Shim socket +(allow pod_containerd_t pod_containerd_socket_t (fs_classes (rw))) + +; Common rules for containerd accessing system +(typeattributeset containerd_p pod_containerd_t) + (type pod_t) (call pod_p (pod_t)) ; TODO: What if container is started not from containerd_state_t? (typetransition pod_containerd_t containerd_state_t process pod_t) -(allow pod_t containerd_state_t (file (entrypoint execute_no_trans))) +(allow pod_t containerd_state_t (file (entrypoint execute execute_no_trans))) (type etcd_t) (call pod_p (etcd_t)) diff --git a/internal/pkg/selinux/policy/selinux/services/dashboard.cil b/internal/pkg/selinux/policy/selinux/services/dashboard.cil index f0f26860c0..70650ad4f3 100644 --- a/internal/pkg/selinux/policy/selinux/services/dashboard.cil +++ b/internal/pkg/selinux/policy/selinux/services/dashboard.cil @@ -1,2 +1,11 @@ (type dashboard_t) (call service_p (dashboard_t init_exec_t)) + +; TTY +(allow dashboard_t device_t (fs_classes (rw))) +; machine ID and similar +(allow dashboard_t etc_t (fs_classes (ro))) + +; socket +(allow dashboard_t machine_socket_t (fs_classes (rw))) +(allow dashboard_t init_t (unix_stream_socket (connectto))) diff --git a/internal/pkg/selinux/policy/selinux/services/kubelet.cil b/internal/pkg/selinux/policy/selinux/services/kubelet.cil index d451bf6e61..2259e26a61 100644 --- a/internal/pkg/selinux/policy/selinux/services/kubelet.cil +++ b/internal/pkg/selinux/policy/selinux/services/kubelet.cil @@ -13,3 +13,4 @@ (type kubelet_state_t) (call system_f (kubelet_state_t)) +(allow init_t kubelet_state_t (fs_classes (rw))) diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil index 0a57ecac2a..e84f33bc7e 100644 --- a/internal/pkg/selinux/policy/selinux/services/machined.cil +++ b/internal/pkg/selinux/policy/selinux/services/machined.cil @@ -8,7 +8,6 @@ (type init_t) (roletype system_r init_t) -(typetransition kernel_t init_exec_t process init_t) (allow init_t init_exec_t (file (execute entrypoint))) ; System daemon sockets @@ -24,12 +23,15 @@ (allow init_t service_p (process (transition))) (allow init_t service_exec_f (file (execute))) +(allow init_t service_exec_f (fs_classes (ro))) -; TODO: allow execute for libraries -; (type lib_exec_t) -; (call system_f (lib_exec_t)) -; (filecon "/usr/lib/libc.so" file (system_u object_r lib_exec_t (systemLow systemLow))) -; (allow service_p lib_exec_t (file (execute))) +; Libraries must also pass the exceutable check to be used +; Allow their use by all host services +(type lib_exec_t) +(call system_f (lib_exec_t)) +(filecon "/usr/lib(/.*)?" any (system_u object_r lib_exec_t (systemLow systemLow))) +(allow service_p lib_exec_t (file (execute))) +(allow service_p lib_exec_t (fs_classes (ro))) ; Should not occur unless misconfigured by machined (type unconfined_service_t) @@ -43,3 +45,66 @@ ; Typically machined executes LVM, cryptsetup and similar utilities ; They are short-running, come from the rootfs and do not accept user input, so can be started in init_t domain (allow init_t sbin_exec_t (file (execute execute_no_trans))) +(allow init_t sbin_exec_t (fs_classes (ro))) + +; Access kernel module parameters +(allow init_t sys_module_t (fs_classes (rw))) + +; Configure kubelet +(allow init_t kubelet_state_t (fs_classes (rw))) + +(allow udev_t device_f (fs_classes (rw))) + +; Access containerd sockets for running containers +(allow init_t sys_containerd_socket_t (sock_file (write))) +(allow init_t sys_containerd_t (unix_stream_socket (connectto))) +(allow init_t pod_containerd_socket_t (sock_file (write))) +(allow init_t pod_containerd_t (unix_stream_socket (connectto))) + +; Allow access to any file for machined, for ls +(allow init_t any_f (fs_classes (rw))) + +; /dev/console +(allow init_t kernel_t (system (syslog_console syslog_mod syslog_read))) +(allow init_t self (capability2 (syslog))) +(allow init_t kernel_t (fd (use))) + +; labeling FS +(allow init_t tmpfs_t (fs_classes (relabelfrom))) +(allow init_t run_t (dir (relabelto))) +(allow init_t system_t (dir (relabelto))) +(allow init_t etc_t (dir (relabelto))) + +(allow init_t system_t (fs_classes (relabelfrom))) +(allow init_t system_var_t (dir (relabelto))) +(allow init_t etcd_pki_t (dir (relabelto))) +(allow init_t kube_apiserver_config_t (dir (relabelto))) +(allow init_t kube_scheduler_config_t (dir (relabelto))) +(allow init_t kube_apiserver_secret_t (dir (relabelto))) +(allow init_t kube_controller_manager_secret_t (dir (relabelto))) +(allow init_t kube_scheduler_secret_t (dir (relabelto))) + +(allow init_t trustd_runtime_socket_t (sock_file (relabelto))) + +(allow init_t run_t (fs_classes (relabelfrom))) +(allow init_t apid_runtime_socket_t (sock_file (relabelto))) + +; rootfs.sqsh +(allow kernel_t rootfs_t (file (read))) + +; initramfs init before switching root +(allow initramfs_t device_t (fs_classes (rw))) +(allow initramfs_t rootfs_t (fs_classes (ro))) +(allow initramfs_t self (process_classes (full))) +(allow kernel_t initramfs_t (fd (use))) +; Make machined go into proper context +(allow initramfs_t sbin_exec_t (fs_classes (ro))) ; Find init +(allow initramfs_t init_exec_t (fs_classes (ro))) +(allow initramfs_t init_exec_t (file (execute))) +(typetransition initramfs_t init_exec_t process init_t) +(allow initramfs_t init_t (process_classes (full))) +(allow init_t initramfs_t (fd (use))) + +; Direct child processes +(allow system_p init_t (fd (use))) +(allow system_p init_t (fifo_file (append getattr ioctl map open read rename setattr watch write))) diff --git a/internal/pkg/selinux/policy/selinux/services/selinux.cil b/internal/pkg/selinux/policy/selinux/services/selinux.cil index 43b823538d..6221bacd09 100644 --- a/internal/pkg/selinux/policy/selinux/services/selinux.cil +++ b/internal/pkg/selinux/policy/selinux/services/selinux.cil @@ -1,4 +1,4 @@ -(allow kernel_t security_t (security (setbool setsecparam))) +(allow initramfs_t security_t (security (setbool setsecparam))) (allow init_t security_t (security (setbool setsecparam))) ; Policy is loaded by initramfs init and mustn't be modified ; The only way to set mode to permissive is setting enforcing=0 in kernel cmdline @@ -14,3 +14,4 @@ setcheckreqprot validate_trans ))) +(allow any_p selinuxfs_t (fs_classes (ro))) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil index 2b515625f4..86f3107105 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil @@ -11,17 +11,47 @@ (type sys_containerd_socket_t) (call system_socket_f (sys_containerd_socket_t)) +; Shim sockets +(typetransition sys_containerd_t run_t sock_file sys_containerd_socket_t) +; Client socket (typetransition sys_containerd_t system_t sock_file sys_containerd_socket_t) +; Transition to system container contexts (allow sys_containerd_t system_container_p (process2 (nnp_transition nosuid_transition))) (allow sys_containerd_t system_container_p (process (transition))) +; Manage procfs & processes +(allow sys_containerd_t system_container_p (fs_classes (rw))) +(allow sys_containerd_t system_container_p (process_classes (full))) +(allow system_container_p sys_containerd_t (fd (use))) +(allow system_container_p sys_containerd_t (fifo_file (append getattr ioctl map open read rename setattr watch write))) + +; Shim sockets +(allow sys_containerd_t sys_containerd_socket_t (fs_classes (rw))) + +(typeattribute containerd_p) +(typeattributeset containerd_p sys_containerd_t) + +; Access overlayfs parameters +(allow containerd_p sys_module_t (fs_classes (ro))) + +; manage cgroups & namespaces +(allow containerd_p cgroup_t (fs_classes (rw))) +(allow containerd_p nsfs_t (fs_classes (rw))) + +; mounts +(allow containerd_p filesystem_f (filesystem (unmount remount mount))) + +; mounton for masking +(allow containerd_p any_f (fs_classes (mounton))) + +; Shim sockets +(allow containerd_p self (unix_stream_socket (connectto))) + +; logs +(allow sys_containerd_t system_t (fs_classes (rw))) + ; Typically a system extension ; Possibly a service misconfigured by machined (type unconfined_container_t) (call system_container_p (unconfined_container_t)) - -; Talos installer -(type installer_t) -(call system_container_p (installer_t)) -(allow installer_t system_var_t (file (entrypoint execute_no_trans))) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containers.cil b/internal/pkg/selinux/policy/selinux/services/system-containers.cil index c45640aac8..37976a8ef9 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containers.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containers.cil @@ -1,3 +1,4 @@ +; apid (type apid_t) (call system_container_p (apid_t)) (allow apid_t init_exec_t (file (entrypoint execute))) @@ -8,7 +9,12 @@ (call system_socket_f (apid_runtime_socket_t)) (allow apid_t apid_socket_t (sock_file (relabelto))) (allow apid_t apid_runtime_socket_t (sock_file (relabelto))) +(allow apid_t apid_runtime_socket_t (fs_classes (rw))) +(allow apid_t machine_socket_t (fs_classes (rw))) +(allow apid_t init_t (unix_stream_socket (connectto))) + +; trustd (type trustd_t) (call system_container_p (trustd_t)) (allow trustd_t init_exec_t (file (entrypoint execute))) @@ -16,4 +22,8 @@ (type trustd_runtime_socket_t) (call system_socket_f (trustd_runtime_socket_t)) (allow trustd_t trustd_runtime_socket_t (sock_file (write))) -(allow trustd_t trustd_runtime_socket_t (sock_file (relabelto))) + +; Talos installer +(type installer_t) +(call system_container_p (installer_t)) +(allow installer_t system_var_t (file (entrypoint execute_no_trans))) diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil index 883b076ddc..36090344bf 100644 --- a/internal/pkg/selinux/policy/selinux/services/udev.cil +++ b/internal/pkg/selinux/policy/selinux/services/udev.cil @@ -11,6 +11,14 @@ (filecon "/usr/lib/udev/rules.d(/.*)?" any (system_u object_r udev_rules_t (systemLow systemLow))) (filecon "/usr/lib/udev(/.*)?" any udev_exec_t) +(type modprobe_exec_t) +(call system_f (modprobe_exec_t)) +(filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow))) + +(type module_t) +(call system_f (module_t)) +(filecon "/lib/modules(/.*)?" any (system_u object_r module_t (systemLow systemLow))) + (type udev_t) (call service_p (udev_t udev_exec_t)) @@ -33,10 +41,31 @@ ; Typically client pods must not access TPM (type tpm_device_t) (call protected_device_f (tpm_device_t)) +; TODO: label and restrict block devices -(type modprobe_exec_t) -(call system_f (modprobe_exec_t)) -(filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow))) +; If modprobe is called by machined or kernel do a transition to udev context which has module permissions (allow udev_t modprobe_exec_t (file (execute execute_no_trans))) +(allow udev_t modprobe_exec_t (fs_classes (ro))) (typetransition kernel_t modprobe_exec_t process udev_t) (typetransition init_t modprobe_exec_t process udev_t) + +(allow kernel_t module_t (system (module_load module_request))) +(allow udev_t module_t (fs_classes (ro))) +(allow udev_t module_t (system (module_load module_request))) +(allow udev_t self (capability (sys_module))) +(allow udev_t self (cap_userns (sys_module))) + +; Allow udev to read rules files +(allow udev_t udev_rules_t (fs_classes (ro))) + +; udev rules can set module parameters +(allow udev_t sys_module_t (fs_classes (rw))) + +(allow udev_t device_t (fs_classes (relabelfrom))) +(allow udev_t device_f (fs_classes (rw relabelto))) + +; socket and runtime files +(allow udev_t run_t (fs_classes (rw))) + +; manage properties from rules +(allow udev_t sysfs_t (fs_classes (rw)))