diff options
-rw-r--r-- | policy/modules/services/container.if | 60 | ||||
-rw-r--r-- | policy/modules/services/kubernetes.te | 5 |
2 files changed, 65 insertions, 0 deletions
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 165a73d56..18b27f19b 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -1533,6 +1533,26 @@ interface(`container_spec_filetrans_file',` ######################################## ## <summary> +## Allow the specified domain to get +## the attributes of all container +## file objects. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_getattr_all_files',` + gen_require(` + type container_file_t; + ') + + allow $1 container_file_t:dir_file_class_set getattr; +') + +######################################## +## <summary> ## Allow the specified domain to list ## the contents of read-only container ## file directories. @@ -1553,6 +1573,26 @@ interface(`container_list_ro_dirs',` ######################################## ## <summary> +## Allow the specified domain to get +## the attributes of all read-only +## container file objects. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_getattr_all_ro_files',` + gen_require(` + type container_ro_file_t; + ') + + allow $1 container_ro_file_t:dir_file_class_set getattr; +') + +######################################## +## <summary> ## Allow the specified domain to ## manage container config home content. ## </summary> @@ -2338,6 +2378,26 @@ interface(`container_unlabeled_var_lib_filetrans',` ######################################## ## <summary> +## Allow the specified domain to get +## the attributes of all container +## var lib objects. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_getattr_all_var_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + allow $1 container_var_lib_t:dir_file_class_set getattr; +') + +######################################## +## <summary> ## Allow the specified domain to search ## container log file directories. ## </summary> diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 84e8ce4bf..0f5f67697 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -400,6 +400,11 @@ kubernetes_manage_tmpfs_files(kubelet_t) kubernetes_manage_tmpfs_symlinks(kubelet_t) fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file }) +# for metrics and accounting +container_getattr_all_files(kubelet_t) +container_getattr_all_ro_files(kubelet_t) +container_getattr_all_var_lib_files(kubelet_t) + ifdef(`init_systemd',` init_dbus_chat(kubelet_t) |