feat: add necessary SELinux allow rules

internal/pkg/selinux/policy/file_contexts

@@ -3,7 +3,9 @@
 /sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
 /etc/cni(/.*)?	system_u:object_r:cni_conf_t:s0
 /opt/cni(/.*)?	system_u:object_r:cni_plugin_t:s0
+/usr/lib(/.*)?	system_u:object_r:lib_exec_t:s0
 /usr/sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
+/lib/modules(/.*)?	system_u:object_r:module_t:s0
 /usr/lib/udev(/.*)?	system_u:object_r:udev_exec_t:s0
 /etc/kubernetes(/.*)?	system_u:object_r:k8s_conf_t:s0
 /opt/containerd(/.*)?	system_u:object_r:containerd_plugin_t:s0

internal/pkg/selinux/policy/selinux/common/classmaps.cil

@@ -1,39 +1,31 @@
 ; Access to all file classes
-(classmap fs_classes (full rw ro))
-(classmapping fs_classes full (filesystem (
-    associate
-    getattr
-    mount
-    quotaget
-    quotamod
-    relabelfrom
-    relabelto
-    remount
-    unmount
-    watch
-)))
-(classmapping fs_classes full (file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
-)))
-(classmapping fs_classes full (dir (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
-    add_name remove_name reparent rmdir search
-)))
-(classmapping fs_classes full (lnk_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
-)))
-(classmapping fs_classes full (chr_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
-)))
-(classmapping fs_classes full (blk_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
-)))
-(classmapping fs_classes full (sock_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
-)))
-(classmapping fs_classes full (fifo_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
-)))
+(classmap fs_classes (relabelfrom relabelto mounton rw ro))
+; relabelfrom
+(classmapping fs_classes relabelfrom (filesystem (relabelfrom)))
+(classmapping fs_classes relabelfrom (file (relabelfrom)))
+(classmapping fs_classes relabelfrom (dir (relabelfrom)))
+(classmapping fs_classes relabelfrom (lnk_file (relabelfrom)))
+(classmapping fs_classes relabelfrom (chr_file (relabelfrom)))
+(classmapping fs_classes relabelfrom (blk_file (relabelfrom)))
+(classmapping fs_classes relabelfrom (sock_file (relabelfrom)))
+(classmapping fs_classes relabelfrom (fifo_file (relabelfrom)))
+; relabelto
+(classmapping fs_classes relabelto (filesystem (relabelto)))
+(classmapping fs_classes relabelto (file (relabelto)))
+(classmapping fs_classes relabelto (dir (relabelto)))
+(classmapping fs_classes relabelto (lnk_file (relabelto)))
+(classmapping fs_classes relabelto (chr_file (relabelto)))
+(classmapping fs_classes relabelto (blk_file (relabelto)))
+(classmapping fs_classes relabelto (sock_file (relabelto)))
+(classmapping fs_classes relabelto (fifo_file (relabelto)))
+; mounton
+(classmapping fs_classes mounton (file (mounton)))
+(classmapping fs_classes mounton (dir (mounton)))
+(classmapping fs_classes mounton (lnk_file (mounton)))
+(classmapping fs_classes mounton (chr_file (mounton)))
+(classmapping fs_classes mounton (blk_file (mounton)))
+(classmapping fs_classes mounton (sock_file (mounton)))
+(classmapping fs_classes mounton (fifo_file (mounton)))
 ; rw is full without SELinux management
 (classmapping fs_classes rw (filesystem (
     associate
@@ -46,26 +38,26 @@
     watch
 )))
 (classmapping fs_classes rw (file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
 )))
 (classmapping fs_classes rw (dir (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
     add_name remove_name reparent rmdir search
 )))
 (classmapping fs_classes rw (lnk_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
 )))
 (classmapping fs_classes rw (chr_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
 )))
 (classmapping fs_classes rw (blk_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
 )))
 (classmapping fs_classes rw (sock_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
 )))
 (classmapping fs_classes rw (fifo_file (
-    append create execmod execute getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
+    append create execmod getattr ioctl link lock map mounton open quotaon read rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write
 )))
 ; ro is rw without write and configure
 (classmapping fs_classes ro (filesystem (
@@ -75,26 +67,26 @@
     watch
 )))
 (classmapping fs_classes ro (file (
-    append create execmod execute getattr ioctl lock map mounton open quotaon read rename unlink watch watch_mount watch_reads watch_sb watch_with_perm
+    execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
 )))
 (classmapping fs_classes ro (dir (
-    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+    execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
     search
 )))
 (classmapping fs_classes ro (lnk_file (
-    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+    execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
 )))
 (classmapping fs_classes ro (chr_file (
-    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+    execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
 )))
 (classmapping fs_classes ro (blk_file (
-    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+    execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
 )))
 (classmapping fs_classes ro (sock_file (
-    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+    execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
 )))
 (classmapping fs_classes ro (fifo_file (
-    execmod execute getattr ioctl lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
+    execmod getattr lock map open read watch watch_mount watch_reads watch_sb watch_with_perm
 )))
 
 ; Netlink socket access
@@ -130,3 +122,38 @@
 (classmapping netlink_classes full (netlink_scsitransport_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write)))
 (classmapping netlink_classes full (netlink_rdma_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write)))
 (classmapping netlink_classes full (netlink_crypto_socket (accept append bind connect create getattr getopt ioctl listen lock map name_bind read recvfrom sendto setattr setopt shutdown write)))
+
+; Everything except ptrace
+(classmap process_classes (full))
+(classmapping process_classes full (process (
+    dyntransition
+    execheap
+    execmem
+    execstack
+    fork
+    getattr
+    getcap
+    getpgid
+    getsched
+    getsession
+    getrlimit
+    noatsecure
+    rlimitinh
+    setcap
+    setcurrent
+    setexec
+    setfscreate
+    setkeycreate
+    setpgid
+    setrlimit
+    setsched
+    setsockcreate
+    share
+    sigchld
+    siginh
+    sigkill
+    signal
+    signull
+    sigstop
+    transition
+)))

internal/pkg/selinux/policy/selinux/common/processes.cil

@@ -0,0 +1,121 @@
+; Query procfs about self, plus OOM adj and similar writes (controlled by other access control and caps)
+; Also FIFO/socket writes for own stuff
+(allow any_p self (fs_classes (rw)))
+; Read process info
+(allow any_p procfs_t (fs_classes (ro)))
+; Allow all process actions but ptrace, set* will be guarded by transitions
+(allow any_p self (process_classes (full)))
+
+; Pseudo devices
+(allow any_p null_device_t (fs_classes (rw)))
+
+; All caps, except sys_boot and sys_modules
+(allow any_p self (capability (
+    audit_control
+    audit_write
+    chown
+    dac_override
+    dac_read_search
+    fowner
+    fsetid
+    ipc_lock
+    ipc_owner
+    kill
+    lease
+    linux_immutable
+    mknod
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    setfcap
+    setgid
+    setpcap
+    setuid
+    sys_admin
+    sys_chroot
+    sys_nice
+    sys_pacct
+    sys_ptrace
+    sys_rawio
+    sys_resource
+    sys_time
+    sys_tty_config
+)))
+(allow any_p self (cap_userns (
+    audit_control
+    audit_write
+    chown
+    dac_override
+    dac_read_search
+    fowner
+    fsetid
+    ipc_lock
+    ipc_owner
+    kill
+    lease
+    linux_immutable
+    mknod
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    setfcap
+    setgid
+    setpcap
+    setuid
+    sys_admin
+    sys_chroot
+    sys_nice
+    sys_pacct
+    sys_ptrace
+    sys_rawio
+    sys_resource
+    sys_time
+    sys_tty_config
+)))
+; All but mac_admin, mac_override and syslog
+(allow any_p self (capability2 (
+    audit_read
+    block_suspend
+    bpf
+    checkpoint_restore
+    perfmon
+    wake_alarm
+)))
+(allow any_p self (cap2_userns (
+    audit_read
+    block_suspend
+    bpf
+    checkpoint_restore
+    perfmon
+    wake_alarm
+)))
+
+; Enable (e)BPF for all processes
+(allow any_p self (bpf (map_create map_read map_write prog_load prog_run)))
+
+; Allow init to manage processes
+(allow init_t service_p (fs_classes (rw)))
+(allow init_t service_p (process_classes (full)))
+
+; kernel cmdline
+(allow system_p proc_cmdline_t (fs_classes (ro)))
+(allow system_container_p proc_cmdline_t (fs_classes (ro)))
+
+; These only run binaries from the squashfs so this shouldn't do harm.
+; TODO: eliminate such common permissions
+(allow system_p any_f (fs_classes (ro)))
+(allow system_container_p any_f (fs_classes (ro)))
+
+; By default, allow any process to access any device except special ones
+(allow any_p common_device_f (fs_classes (rw)))
+; CNI, containerd, many different services read and write sysctl parameters
+(allow any_p proc_sysctl_t (fs_classes (rw)))
+; Unconfined FS and files
+(allow any_p unconfined_f (fs_classes (rw)))
+; Kernel threads can access anything
+(allow kernel_t any_f (fs_classes (rw)))
+
+; Own sockets
+(allow any_p self (unix_stream_socket (connectto)))

internal/pkg/selinux/policy/selinux/common/typeattributes.cil

@@ -36,8 +36,9 @@
     (typeattributeset protected_device_f ARG1)
 )
 
+(typeattributeset common_device_f device_t)
+
 (typeattribute device_f)
-(typeattributeset device_f device_t)
 (typeattributeset device_f common_device_f)
 (typeattributeset device_f protected_device_f)
 
@@ -72,6 +73,7 @@
     (roletype system_r process_label)
     (typeattributeset service_p process_label)
     (typeattributeset service_exec_f executable_label)
+    (allow process_label executable_label (fs_classes (ro)))
     (allow process_label executable_label (file (entrypoint execute execute_no_trans)))
 )
 
@@ -89,6 +91,7 @@
 
 (typeattribute system_p)
 (typeattributeset system_p kernel_t)
+(typeattributeset system_p initramfs_t)
 (typeattributeset system_p init_t)
 (typeattributeset system_p service_p)
 

internal/pkg/selinux/policy/selinux/immutable/fs.cil

@@ -23,7 +23,11 @@
 
 (type sysfs_t)
 (call filesystem_f (sysfs_t))
+(type sys_module_t)
+(call filesystem_f (sys_module_t))
+
 (genfscon sysfs "/" (system_u object_r sysfs_t (systemLow systemLow)))
+(genfscon sysfs "/module" (system_u object_r sys_module_t (systemLow systemLow)))
 
 (type bpf_t)
 (call filesystem_f (bpf_t))
@@ -48,9 +52,15 @@
 (genfscon proc "/" procfs_t)
 (genfscon proc "/sysvipc" procfs_t)
 
+(type proc_cmdline_t)
+(call filesystem_f (proc_cmdline_t))
+(genfscon proc "/cmdline" (system_u object_r proc_cmdline_t (systemLow systemLow)))
+
 (type proc_sysctl_t)
 (call filesystem_f (proc_sysctl_t))
 (genfscon proc "/sys" (system_u object_r proc_sysctl_t (systemLow systemLow)))
+; It matches /sys, yet should not have the same context
+(genfscon proc "/sysrq-trigger" procfs_t)
 
 (type securityfs_t)
 (call filesystem_f (securityfs_t))

internal/pkg/selinux/policy/selinux/immutable/preamble.cil

@@ -8,3 +8,4 @@
 (policycap cgroup_seclabel)
 (policycap nnp_nosuid_transition)
 (policycap ioctl_skip_cloexec)
+(policycap userspace_initial_context)

internal/pkg/selinux/policy/selinux/immutable/sids.cil

@@ -60,8 +60,12 @@
 
 (sid any_socket)
 (sidcontext any_socket (system_u object_r unlabeled_t (systemLow systemLow)))
+
+(type initramfs_t)
+(roletype system_r initramfs_t)
 (sid init)
-(sidcontext init (system_u object_r unlabeled_t (systemLow systemLow)))
+(sidcontext init (system_u object_r initramfs_t (systemLow systemLow)))
+
 (sid file_labels)
 (sidcontext file_labels (system_u object_r unlabeled_t (systemLow systemLow)))
 (sid file)