rancher-selinux/policy/microos/rancher.te at 82b46446c9aa6d33b7789cc7489c09977f442df0 · rancher/rancher-selinux · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
policy_module(rancher, 1.0.0)

gen_require(`
    type container_runtime_t, unconfined_service_t, container_file_t;
    type kubernetes_file_t, container_log_t, syslogd_var_run_t;
    type var_log_t, container_var_run_t, container_var_lib_t;
    type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t;
    class dir { open read search watch };
    class file { getaddr getattr map open read watch relabelfrom relabelto };
    class lnk_file { getattr read };
    class tcp_socket { accept listen };
    class netlink_route_socket { nlmsg_write };
    class system { module_request };
    class unix_dgram_socket { sendto };
')

############################################################
# type: rke_kubereader_t                                   #
# target: pushprox container for Rancher monitoring chart  #
############################################################

container_domain_template(rke_kubereader, container)
virt_sandbox_domain(rke_kubereader_t)
corenet_unconfined(rke_kubereader_t)
allow rke_kubereader_t kubernetes_file_t:dir { open read search };
allow rke_kubereader_t kubernetes_file_t:file { getattr open read };
allow rke_kubereader_t kubernetes_file_t:lnk_file { getattr read };

############################################################
# type: rke_logreader_t                                    #
# target: fluentbit container for Rancher logging chart    #
############################################################

container_domain_template(rke_logreader, container)
virt_sandbox_domain(rke_logreader_t)
corenet_unconfined(rke_logreader_t)
allow rke_logreader_t container_log_t:dir { open read search };
allow rke_logreader_t container_log_t:lnk_file { getattr read };
allow rke_logreader_t container_log_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
allow rke_logreader_t syslogd_var_run_t:file { getattr open read };
allow rke_logreader_t var_log_t:dir { read watch };
allow rke_logreader_t var_log_t:file { getattr open read };

############################################################################
# type: rke_container_t                                                    #
# target: RKE1 services                                                    #
############################################################################

type rke_opt_t;
files_type(rke_opt_t)
container_domain_template(rke_container, container)
virt_sandbox_domain(rke_container_t)
corenet_unconfined(rke_container_t)
manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_dirs_pattern(rke_container_t, container_log_t, container_log_t)
manage_files_pattern(rke_container_t, container_log_t, container_log_t)
manage_dirs_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t)
manage_files_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t)
manage_dirs_pattern(rke_container_t, rke_opt_t, rke_opt_t)
manage_files_pattern(rke_container_t, rke_opt_t, rke_opt_t)
manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t)
manage_dirs_pattern(rke_container_t, container_var_run_t, container_var_run_t)
manage_files_pattern(rke_container_t, container_var_run_t, container_var_run_t)
allow rke_container_t self:tcp_socket { accept listen };
allow rke_container_t container_var_lib_t:file map;
allow rke_container_t rke_opt_t:file map;
allow rke_container_t container_var_lib_t:dir { relabelfrom relabelto };
allow rke_container_t container_var_lib_t:file { relabelfrom relabelto };
allow rke_container_t rke_opt_t:dir { relabelfrom relabelto };
allow rke_container_t rke_opt_t:file { relabelfrom relabelto };

############################################################################
# type: rke_network_t                                                      #
# target: flannel container for RKE1                                       #
############################################################################

container_domain_template(rke_network, container)
virt_sandbox_domain(rke_network_t)
corenet_unconfined(rke_network_t)
manage_dirs_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
manage_files_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t)
manage_dirs_pattern(rke_network_t, var_run_t, var_run_t)
manage_files_pattern(rke_network_t, var_run_t, var_run_t)
allow rke_network_t kernel_t:system module_request;
allow rke_network_t kernel_t:unix_dgram_socket sendto;
allow rke_network_t self:netlink_route_socket nlmsg_write;

############################################################################
# type prom_node_exporter_t                                                #
# target: prometheus-node-exporter container for Rancher monitoring chart  #
############################################################################

container_domain_template(prom_node_exporter, container)
virt_sandbox_domain(prom_node_exporter_t)
corenet_tcp_bind_generic_node(prom_node_exporter_t)
corenet_tcp_bind_generic_port(prom_node_exporter_t)
init_read_state(prom_node_exporter_t)
selinux_read_security_files(prom_node_exporter_t)
allow prom_node_exporter_t self:tcp_socket listen;

############################################################################
# type: rancher_aiagent_container_t                                        #
# project: rancher/rancher-ai-agent                                        #
# target: rancher-ai-agent container for Rancher AI                        #
############################################################################

container_domain_template(rancher_aiagent_container, container)
corenet_tcp_bind_generic_node(rancher_aiagent_container_t)
corenet_tcp_bind_soundd_port(rancher_aiagent_container_t)
corenet_tcp_connect_http_port(rancher_aiagent_container_t)
allow rancher_aiagent_container_t self:tcp_socket listen;

############################################################################
# type: rancher_aimcp_container_t				                           #
# project: rancher/rancher-ai-mcp                                          #
# target: rancher-mcp-server container for Rancher AI                      #
############################################################################

container_domain_template(rancher_aimcp_container, container)
corenet_tcp_bind_generic_node(rancher_aimcp_container_t)
corenet_tcp_bind_generic_port(rancher_aimcp_container_t)
corenet_tcp_connect_http_port(rancher_aimcp_container_t)
allow rancher_aimcp_container_t self:tcp_socket listen;