mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-26 16:11:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

overlay user-patches: Update our patch for SELinux refpolicy

Browse Source
This commit is contained in:
Krzesimir Nowak 2024-03-27 10:28:09 +01:00
parent f6598dea74
commit d4297977d8
1 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch vendored
View File

@ -1,20 +1,20 @@
From 8cd5a793c84ec75233a30517c77c26eb4203b1c7 Mon Sep 17 00:00:00 2001
From f646fccd3b737a79ae0e0d0de049166e531fb48b Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Mon, 4 Dec 2023 12:17:25 +0100
Subject: [PATCH] Flatcar modifications
---
policy/modules/admin/netutils.te | 20 ++++
policy/modules/admin/netutils.te | 20 +++
policy/modules/kernel/corenetwork.if.in | 26 ++++
policy/modules/kernel/corenetwork.te.in | 12 +-
policy/modules/kernel/files.if | 45 +++++++
policy/modules/kernel/kernel.te | 73 ++++++++++++
policy/modules/kernel/kernel.te | 84 +++++++++++++
policy/modules/services/container.fc | 6 +
policy/modules/services/container.te | 150 +++++++++++++++++++++++-
policy/modules/services/container.te | 159 +++++++++++++++++++++++-
policy/modules/system/init.te | 8 ++
policy/modules/system/locallogin.te | 9 +-
policy/modules/system/logging.te | 9 ++
10 files changed, 355 insertions(+), 3 deletions(-)
10 files changed, 375 insertions(+), 3 deletions(-)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 3c43a1d84..429c67220 100644
@ -168,10 +168,10 @@ index e0337d044..ffd6a25bf 100644
+ relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
+')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index a3dbeeeda..b68686bc1 100644
index a3dbeeeda..69d6bc9f0 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -376,6 +376,79 @@ files_mounton_default(kernel_t)
@@ -376,6 +376,90 @@ files_mounton_default(kernel_t)
mcs_process_set_categories(kernel_t)
@ -239,6 +239,17 @@ index a3dbeeeda..b68686bc1 100644
+#
+# FLATCAR:
+#
+# This one happens in several places, like coreos.selinux.enforce,
+# cl.network.initramfs.second-boot or coreos.ignition.once. Haven't
+# pinpointed the cause yet:
+#
+# avc: denied { checkpoint_restore } for pid=[0-9]* comm="agetty" capability=40 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
+#
+allow kernel_t self:capability2 { checkpoint_restore };
+
+#
+# FLATCAR:
+#
+# This one happens a lot in kubeadm.v<VERSION>.<CNI>.cgroupv1.base and
+# kubeadm.v<VERSION>.<CNI>.base for cilium and calico.
+#
@ -269,7 +280,7 @@ index f98e68ba0..045b1b5b2 100644
/run/containers(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
/run/crun(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te
index 096d6c23d..ea1c11852 100644
index 096d6c23d..4bbab3c69 100644
--- a/refpolicy/policy/modules/services/container.te
+++ b/refpolicy/policy/modules/services/container.te
@@ -58,6 +58,52 @@ gen_tunable(container_use_dri, false)
@ -334,7 +345,7 @@ index 096d6c23d..ea1c11852 100644
## <desc>
## <p>
@@ -1191,3 +1237,105 @@ optional_policy(`
@@ -1191,3 +1237,114 @@ optional_policy(`
unconfined_domain_noaudit(spc_user_t)
domain_ptrace_all_domains(spc_user_t)
')
@ -440,6 +451,15 @@ index 096d6c23d..ea1c11852 100644
+# avc: denied { map } for pid=[0-9]* comm="uds" path="/opt/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds" dev="vda9" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
+#
+allow container_t usr_t:file { execute execute_no_trans map };
+
+#
+# FLATCAR:
+#
+# This one happens in kubeadm.v<VERSION>.cilium.base.
+#
+# avc: denied { map_create } for pid=[0-9]* comm="cilium-operator" scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=bpf permissive=0
+#
+allow container_t self:bpf { map_create };
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 8f3772dcb..435f62db6 100644
--- a/refpolicy/policy/modules/system/init.te