From 5c5b78cb8d63e22262f52ba24141c6f83454145a Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 11 Aug 2021 16:24:54 +0200 Subject: [PATCH 1/3] sec-policy/selinux-virt: fix flannel CNI creation flannel uses an init container to pull CNI from container to the host system in `/etc/cni`. With SELinux, the permission is denied because `/etc/cni` is labelled with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`. Using `filetrans_pattern` we can define a mechanism to create `/etc/cni` with the correct labels even if it's not yet created - which avoid to run `restorecon` on `/etc/cni`. Signed-off-by: Mathieu Tortuyaux --- .../coreos-overlay/sec-policy/selinux-virt/files/virt.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch index 1fd778db48..faad21146c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch @@ -36,4 +36,4 @@ index 256ea58..f72fbba 100644 +allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans }; +allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append }; +allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append }; -+ ++filetrans_pattern(kernel_t, etc_t, svirt_lxc_file_t, dir, "cni"); From 0cde0215954b64a1fa7671f33c38189846f50703 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 11 Aug 2021 17:50:29 +0200 Subject: [PATCH 2/3] sec-policy/selinux-virt: allow flanneld to load module Signed-off-by: Mathieu Tortuyaux --- .../sec-policy/selinux-virt/files/virt.patch | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch index faad21146c..314518721f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch @@ -1,7 +1,7 @@ -index 256ea58..f72fbba 100644 +index 4943ad79d..c89bb5c0c 100644 --- services/virt.te +++ services/virt.te -@@ -1378,3 +1378,35 @@ sysnet_dns_name_resolve(virtlogd_t) +@@ -1377,3 +1377,38 @@ sysnet_dns_name_resolve(virtlogd_t) virt_manage_log(virtlogd_t) virt_read_config(virtlogd_t) @@ -37,3 +37,6 @@ index 256ea58..f72fbba 100644 +allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append }; +allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append }; +filetrans_pattern(kernel_t, etc_t, svirt_lxc_file_t, dir, "cni"); ++ ++# this is required by flanneld ++allow svirt_lxc_net_t kernel_t:system { module_request }; From 8e0014e8149b0ba9429baf9dd45eeaaeb92cc4a2 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 11 Aug 2021 17:53:58 +0200 Subject: [PATCH 3/3] sec-policy/selinux-virt: allow flannel to write into /run flannel will write into /run/flannel/... so we need to provide correct labelling for dir created by docker daemon Signed-off-by: Mathieu Tortuyaux --- .../sec-policy/selinux-virt/files/virt.patch | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch index 314518721f..74b5062ef8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch @@ -1,7 +1,7 @@ -index 4943ad79d..c89bb5c0c 100644 +index 4943ad79d..8b0ed779e 100644 --- services/virt.te +++ services/virt.te -@@ -1377,3 +1377,38 @@ sysnet_dns_name_resolve(virtlogd_t) +@@ -1377,3 +1377,41 @@ sysnet_dns_name_resolve(virtlogd_t) virt_manage_log(virtlogd_t) virt_read_config(virtlogd_t) @@ -40,3 +40,6 @@ index 4943ad79d..c89bb5c0c 100644 + +# this is required by flanneld +allow svirt_lxc_net_t kernel_t:system { module_request }; ++ ++# required by flanneld to write into /run/flannel/subnet.env ++filetrans_pattern(kernel_t, var_run_t, svirt_lxc_file_t, dir, "flannel");