blob: 3dd616f7a96fd84fcb6dc21e993a28897a59ab2c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
policy_module(crio)
########################################
#
# Declarations
#
container_engine_domain_template(crio)
container_system_engine(crio_t)
kubernetes_container_engine(crio_t)
type crio_exec_t;
container_engine_executable_file(crio_exec_t)
init_daemon_domain(crio_t, crio_exec_t)
ifdef(`enable_mls',`
init_ranged_daemon_domain(crio_t, crio_exec_t, s0 - mls_systemhigh)
')
mls_trusted_object(crio_t)
podman_conmon_domain_template(crio, crio_t)
role system_r types crio_conmon_t;
########################################
#
# crio local policy
#
allow crio_t crio_conmon_t:process sigkill;
corecmd_mounton_bin_dirs(crio_t)
dev_dontaudit_getattr_generic_chr_files(crio_t)
files_mounton_kernel_modules_dirs(crio_t)
# mounts on /etc/ca-certificates
files_mounton_etc_dirs(crio_t)
# watch /usr/share/containers/oci/hooks.d
files_watch_usr_dirs(crio_t)
kernel_dgram_send(crio_t)
kernel_read_irq_sysctls(crio_t)
auth_use_nsswitch(crio_t)
iptables_mounton_runtime_files(crio_t)
miscfiles_mounton_generic_cert_dirs(crio_t)
# reads registries in the running user's home
container_read_home_config(crio_t)
container_watch_config_dirs(crio_t)
# Ensure conmon runs in s0 so that it can talk to the container
podman_spec_rangetrans_conmon(crio_t, s0)
kubernetes_search_config(crio_t)
kubernetes_mounton_config_dirs(crio_t)
kubernetes_mounton_config_files(crio_t)
# kubelet creates tmpfs files that CRI-O will
# relabel to container_file_t
kubernetes_list_tmpfs(crio_t)
kubernetes_relabelfrom_tmpfs_dirs(crio_t)
kubernetes_relabelfrom_tmpfs_files(crio_t)
kubernetes_relabelfrom_tmpfs_symlinks(crio_t)
optional_policy(`
fstools_domtrans(crio_t)
')
########################################
#
# crio conmon local policy
#
allow crio_conmon_t self:capability { kill sys_ptrace sys_resource };
files_search_tmp(crio_conmon_t)
fs_list_cgroup_dirs(crio_conmon_t)
init_rw_inherited_stream_socket(crio_conmon_t)
init_use_fds(crio_conmon_t)
container_kill_all_containers(crio_conmon_t)
container_read_all_container_state(crio_conmon_t)
# for kubernetes debug pods
container_use_container_ptys(crio_conmon_t)
# crio logs are tmp files
container_manage_engine_tmp_files(crio_conmon_t)
container_manage_engine_tmp_sock_files(crio_conmon_t)
container_engine_tmp_filetrans(crio_conmon_t, { file sock_file })
container_manage_runtime_files(crio_conmon_t)
container_manage_runtime_lnk_files(crio_conmon_t)
container_manage_runtime_fifo_files(crio_conmon_t)
container_manage_runtime_sock_files(crio_conmon_t)
container_search_var_lib(crio_conmon_t)
container_manage_var_lib_files(crio_conmon_t)
container_manage_var_lib_fifo_files(crio_conmon_t)
container_manage_var_lib_sock_files(crio_conmon_t)
container_manage_log_files(crio_conmon_t)
kubernetes_getpgid_containers(crio_conmon_t)
kubernetes_kubelet_kill(crio_conmon_t)
|
GitWeb