rancher-selinux/policy/fedora42/rancher.te at 82b46446c9aa6d33b7789cc7489c09977f442df0 · rancher/rancher-selinux · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
policy_module(rancher, 1.0.0)

gen_require(`
    type container_runtime_t, unconfined_service_t, container_file_t;
    type kubernetes_file_t, container_log_t, syslogd_var_run_t, var_log_t;
    type container_var_run_t, iptables_var_run_t, var_run_t, kernel_t;
    class dir { open read search watch };
    class file { getaddr open read watch };
    class lnk_file { getattr read };
    class tcp_socket { listen };
')

############################################################
# type: rke_kubereader_t                                   #
# target: pushprox container for Rancher monitoring chart  #
############################################################

container_domain_template(rke_kubereader, container)
virt_sandbox_domain(rke_kubereader_t)
corenet_unconfined(rke_kubereader_t)
allow rke_kubereader_t kubernetes_file_t:dir { open read search };
allow rke_kubereader_t kubernetes_file_t:file { getattr open read };
allow rke_kubereader_t kubernetes_file_t:lnk_file { getattr read };

############################################################
# type: rke_logreader_t                                    #
# target: fluentbit container for Rancher logging chart    #
############################################################

container_domain_template(rke_logreader, container)
virt_sandbox_domain(rke_logreader_t)
corenet_unconfined(rke_logreader_t)
allow rke_logreader_t container_log_t:dir { open read search };
allow rke_logreader_t container_log_t:lnk_file { getattr read };
allow rke_logreader_t container_log_t:file { getattr open read watch };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
allow rke_logreader_t var_log_t:dir { read watch };
allow rke_logreader_t var_log_t:file { getattr map open read };
allow rke_logreader_t self:tcp_socket listen;

############################################################################
# type: rke_container_t                                                    #
# target: RKE1 services                                                    #
############################################################################

type rke_opt_t;
files_type(rke_opt_t)
container_domain_template(rke_container, container)
virt_sandbox_domain(rke_container_t)
corenet_unconfined(rke_container_t)
manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_dirs_pattern(rke_container_t, container_log_t, container_log_t)
manage_files_pattern(rke_container_t, container_log_t, container_log_t)
manage_dirs_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t)
manage_files_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t)
manage_dirs_pattern(rke_container_t, rke_opt_t, rke_opt_t)
manage_files_pattern(rke_container_t, rke_opt_t, rke_opt_t)
manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_dirs_pattern(rke_container_t, container_var_run_t, container_var_run_t)
manage_files_pattern(rke_container_t, container_var_run_t, container_var_run_t)
allow rke_container_t self:tcp_socket { accept listen };
allow rke_container_t container_var_lib_t:file map;
allow rke_container_t rke_opt_t:file map;
allow rke_container_t container_var_lib_t:dir { relabelfrom relabelto };
allow rke_container_t container_var_lib_t:file { relabelfrom relabelto };
allow rke_container_t rke_opt_t:dir { relabelfrom relabelto };
allow rke_container_t rke_opt_t:file { relabelfrom relabelto };

############################################################################
# type: rke_network_t                                                      #
# target: flannel container for RKE1                                       #
############################################################################

container_domain_template(rke_network, container)
virt_sandbox_domain(rke_network_t)
corenet_unconfined(rke_network_t)
manage_dirs_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
manage_files_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
manage_dirs_pattern(rke_network_t, var_run_t, var_run_t)
manage_files_pattern(rke_network_t, var_run_t, var_run_t)
allow rke_network_t kernel_t:system module_request;
allow rke_network_t kernel_t:unix_dgram_socket sendto;
allow rke_network_t self:netlink_route_socket nlmsg_write;

############################################################################
# type prom_node_exporter_t                                                #
# target: prometheus-node-exporter container for Rancher monitoring chart  #
############################################################################

container_domain_template(prom_node_exporter, container)
virt_sandbox_domain(prom_node_exporter_t)
corenet_tcp_bind_generic_node(prom_node_exporter_t)
corenet_tcp_bind_generic_port(prom_node_exporter_t)
init_read_state(prom_node_exporter_t)
selinux_read_security_files(prom_node_exporter_t)
allow prom_node_exporter_t self:tcp_socket listen;

############################################################################
# type: rancher_aiagent_container_t                                        #
# project: rancher/rancher-ai-agent                                        #
# target: rancher-ai-agent container for Rancher AI                        #
############################################################################

container_domain_template(rancher_aiagent_container, container)
corenet_tcp_bind_generic_node(rancher_aiagent_container_t)
corenet_tcp_bind_soundd_port(rancher_aiagent_container_t)
corenet_tcp_connect_http_port(rancher_aiagent_container_t)
allow rancher_aiagent_container_t self:tcp_socket listen;

############################################################################
# type: rancher_aimcp_container_t				                           #
# project: rancher/rancher-ai-mcp                                          #
# target: rancher-mcp-server container for Rancher AI                      #
############################################################################

container_domain_template(rancher_aimcp_container, container)
corenet_tcp_bind_generic_node(rancher_aimcp_container_t)
corenet_tcp_bind_generic_port(rancher_aimcp_container_t)
corenet_tcp_connect_http_port(rancher_aimcp_container_t)
allow rancher_aimcp_container_t self:tcp_socket listen;