fix various SELinux policy issues #1729

Previosly, an unprivileged process trying to write to its own files under `/proc/self` could trigger an "associate" denial since `/proc` has a filesystem context of `any_t`. Giving `/proc` its own label lets subject labels be associated without also letting them be created on filesystems like `/run` and `/tmp`. Signed-off-by: Ben Cressey <[email protected]>

These types were mostly treated like `any_t` and `local_t`, where all processes could freely write to the files. The special case was for trusted processes, where directories created on an `unlabeled_t` path would end up with the `local_t` label. In combination with some mount options, this caused files on `/local` to end up with the right labels, even if the filesystem was created on a system without SELinux enabled. This might happen when using a custom disk image as the source for the secondary storage volume. However, a filesystem that's created by a bootstrap container won't necessarily be mounted with the right options, and the `unlabeled_t` label would continue to propagate. That would prevent the named file transitions used to label Docker and containerd directories from taking place, which would make them less secure. We can simplify the policy and avoid this problem by treating unknown or unrecognized types as already having the `local_t` label. Signed-off-by: Ben Cressey <[email protected]>

The mount options are no longer needed, now that objects with missing or invalid labels are treated as `local_t`. Signed-off-by: Ben Cressey <[email protected]>

Loading a kernel module is a privileged operation, so writing to the location where build files like `objtool` are stored should also be privileged. Signed-off-by: Ben Cressey <[email protected]>

Previously we had two use cases for `local_t`. It was the label used for most files and directories on `/local`, and therefore the label that most hostPath mounts would have. It was also the label of the container root filesystem, and therefore the label that external volumes, emptyDir mounts, and other private storage would have. For MCS isolation, it's useful to have distinct types to assert that one type always has a level with categories, and another type never does. That way, the constraints can be applied only to the files that are meant to be private to a pod or container. Signed-off-by: Ben Cressey <[email protected]>

If `defaultrange` is not specified in the policy, the lower part of the range from the source process is applied to all new files. Unprivileged containers will run with a process label that includes two category pairs, so the files get the label we expect. Privileged containers, on the other hand, may run with these labels: * `system_u:system_r:control_t:s0-s0:c0.c1023` * `system_u:system_r:super_t:s0` In both cases, the lower range of the process is just `s0`, and files would end up with that. This would allow unprivileged containers to also modify the files. We can avoid this by using the target's range instead, since Docker and containerd CRI will ensure that volume mounts are labeled with the appropriate range. Signed-off-by: Ben Cressey <[email protected]>

Conceptually, anything with the `control_t` label has access to all categories. Setting the range makes this explicit in the output of tools like `ps`. Signed-off-by: Ben Cressey <[email protected]>

Setting the level gives our host and bootstrap containers the same range of categories as all other privileged containers, and means that all containers will run with some categories specified. Signed-off-by: Ben Cressey <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix various SELinux policy issues #1729

fix various SELinux policy issues #1729

Commits on Sep 2, 2021