-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix various SELinux policy issues #1729
Commits on Sep 2, 2021
-
Previosly, an unprivileged process trying to write to its own files under `/proc/self` could trigger an "associate" denial since `/proc` has a filesystem context of `any_t`. Giving `/proc` its own label lets subject labels be associated without also letting them be created on filesystems like `/run` and `/tmp`. Signed-off-by: Ben Cressey <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e029c1d - Browse repository at this point
Copy the full SHA e029c1dView commit details -
selinux-policy: drop external and unlabeled types
These types were mostly treated like `any_t` and `local_t`, where all processes could freely write to the files. The special case was for trusted processes, where directories created on an `unlabeled_t` path would end up with the `local_t` label. In combination with some mount options, this caused files on `/local` to end up with the right labels, even if the filesystem was created on a system without SELinux enabled. This might happen when using a custom disk image as the source for the secondary storage volume. However, a filesystem that's created by a bootstrap container won't necessarily be mounted with the right options, and the `unlabeled_t` label would continue to propagate. That would prevent the named file transitions used to label Docker and containerd directories from taking place, which would make them less secure. We can simplify the policy and avoid this problem by treating unknown or unrecognized types as already having the `local_t` label. Signed-off-by: Ben Cressey <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7534d22 - Browse repository at this point
Copy the full SHA 7534d22View commit details -
release: drop context mount options for /local
The mount options are no longer needed, now that objects with missing or invalid labels are treated as `local_t`. Signed-off-by: Ben Cressey <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for eddc9a4 - Browse repository at this point
Copy the full SHA eddc9a4View commit details -
release: restrict writes to /usr/src/kernels
Loading a kernel module is a privileged operation, so writing to the location where build files like `objtool` are stored should also be privileged. Signed-off-by: Ben Cressey <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1533cde - Browse repository at this point
Copy the full SHA 1533cdeView commit details -
selinux-policy: add distinct type for container files
Previously we had two use cases for `local_t`. It was the label used for most files and directories on `/local`, and therefore the label that most hostPath mounts would have. It was also the label of the container root filesystem, and therefore the label that external volumes, emptyDir mounts, and other private storage would have. For MCS isolation, it's useful to have distinct types to assert that one type always has a level with categories, and another type never does. That way, the constraints can be applied only to the files that are meant to be private to a pod or container. Signed-off-by: Ben Cressey <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d2a2b5d - Browse repository at this point
Copy the full SHA d2a2b5dView commit details -
selinux-policy: use target's range for new files
If `defaultrange` is not specified in the policy, the lower part of the range from the source process is applied to all new files. Unprivileged containers will run with a process label that includes two category pairs, so the files get the label we expect. Privileged containers, on the other hand, may run with these labels: * `system_u:system_r:control_t:s0-s0:c0.c1023` * `system_u:system_r:super_t:s0` In both cases, the lower range of the process is just `s0`, and files would end up with that. This would allow unprivileged containers to also modify the files. We can avoid this by using the target's range instead, since Docker and containerd CRI will ensure that volume mounts are labeled with the appropriate range. Signed-off-by: Ben Cressey <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b126b1c - Browse repository at this point
Copy the full SHA b126b1cView commit details -
selinux-policy: set range for privileged containers
Conceptually, anything with the `control_t` label has access to all categories. Setting the range makes this explicit in the output of tools like `ps`. Signed-off-by: Ben Cressey <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bb14322 - Browse repository at this point
Copy the full SHA bb14322View commit details -
host-ctr: label containers with all categories
Setting the level gives our host and bootstrap containers the same range of categories as all other privileged containers, and means that all containers will run with some categories specified. Signed-off-by: Ben Cressey <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fa78efd - Browse repository at this point
Copy the full SHA fa78efdView commit details