commit: cdc026e081113bc262a5183640d4fcde761858ce Author: Kenton Groombridge <concord <AT> gentoo <DOT> org> AuthorDate: Mon May 6 21:19:44 2024 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Tue May 14 17:41:53 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdc026e0
container, crio, kubernetes: minor fixes Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/services/container.te | 1 + policy/modules/services/crio.te | 1 + policy/modules/services/kubernetes.te | 3 +++ 3 files changed, 5 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 68aa97ae5..095308a13 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms; allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow spc_t self:netlink_generic_socket create_socket_perms; allow spc_t self:netlink_netfilter_socket create_socket_perms; +allow spc_t self:netlink_tcpdiag_socket nlmsg_read; allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms; allow spc_t self:perf_event { cpu kernel open read }; diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te index 3dd616f7a..91306d80e 100644 --- a/policy/modules/services/crio.te +++ b/policy/modules/services/crio.te @@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t) container_kill_all_containers(crio_conmon_t) container_read_all_container_state(crio_conmon_t) +container_signal_system_containers(crio_conmon_t) # for kubernetes debug pods container_use_container_ptys(crio_conmon_t) diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 58292de85..3ba666299 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t) container_manage_log_dirs(kubelet_t) container_manage_log_files(kubelet_t) container_manage_log_symlinks(kubelet_t) +container_watch_log_dirs(kubelet_t) container_watch_log_files(kubelet_t) container_log_filetrans(kubelet_t, { dir file }) @@ -617,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain) # kubectl local policy # +kernel_dontaudit_getattr_proc(kubectl_t) + auth_use_nsswitch(kubectl_t) # not required, but convenient for using config commands