commit: 4afddae14c3488c1b3a960c76f1ce6a906074032
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Jul 9 14:30:58 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4afddae1
cloudinit: Add container engine admin access.
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/cloudinit.te | 20 ++++++++++++++++++++
policy/modules/services/crio.if | 2 ++
policy/modules/services/kubernetes.if | 6 ------
policy/modules/services/rootlesskit.if | 21 +++++++++++++++++++++
4 files changed, 43 insertions(+), 6 deletions(-)
diff --git a/policy/modules/admin/cloudinit.te
b/policy/modules/admin/cloudinit.te
index ccc1d1a0f..110d5f60b 100644
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
@@ -321,6 +321,10 @@ optional_policy(`
corosync_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ crio_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
couchdb_admin(cloud_init_t, system_r)
')
@@ -394,6 +398,10 @@ optional_policy(`
dnsmasq_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ docker_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
dovecot_admin(cloud_init_t, system_r)
')
@@ -553,6 +561,10 @@ optional_policy(`
ksmtuned_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ kubernetes_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
l2tp_admin(cloud_init_t, system_r)
')
@@ -762,6 +774,10 @@ optional_policy(`
plymouthd_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ podman_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
portage_run(cloud_init_t, system_r)
portage_run_fetch(cloud_init_t, system_r)
@@ -867,6 +883,10 @@ optional_policy(`
rngd_admin(cloud_init_t, system_r)
')
+optional_policy(`
+ rootlesskit_admin(cloud_init_t, system_r)
+')
+
optional_policy(`
rpc_admin(cloud_init_t, system_r)
rpc_domtrans_nfsd(cloud_init_t)
diff --git a/policy/modules/services/crio.if b/policy/modules/services/crio.if
index bdcf6dad7..48e65475d 100644
--- a/policy/modules/services/crio.if
+++ b/policy/modules/services/crio.if
@@ -94,6 +94,8 @@ interface(`crio_admin',`
allow $1 crio_conmon_t:process { ptrace signal_perms };
ps_process_pattern($1, crio_conmon_t)
+ crio_run($1, $2)
+
# no private type for crictl, so connect directly
container_stream_connect_system_engine($1)
')
diff --git a/policy/modules/services/kubernetes.if
b/policy/modules/services/kubernetes.if
index 2af5b64b3..7451fda6f 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -1042,12 +1042,6 @@ interface(`kubernetes_admin',`
role $2 types kubectl_t;
domtrans_pattern($1, kubectl_exec_t, kubectl_t)
- # kubectl executes an editor when editing files
- # transition back to the user domain when running them
- corecmd_bin_domtrans(kubectl_t, $1)
- allow $1 kubectl_t:fd use;
- allow $1 kubectl_t:fifo_file rw_inherited_fifo_file_perms;
-
allow $1 kubeadm_t:process { ptrace signal_perms };
ps_process_pattern($1, kubeadm_t)
diff --git a/policy/modules/services/rootlesskit.if
b/policy/modules/services/rootlesskit.if
index 2be598d70..e42fef622 100644
--- a/policy/modules/services/rootlesskit.if
+++ b/policy/modules/services/rootlesskit.if
@@ -104,3 +104,24 @@ template(`rootlesskit_role',`
')
')
+########################################
+## <summary>
+## All of the rules required to
+## administrate a rootlesskit
+## environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rootlesskit_admin',`
+ rootlesskit_run($1, $2)
+')
