Skip to content

Commit

Permalink
I dunno, some stuff to make it kinda start doing some other stuff
Browse files Browse the repository at this point in the history
  • Loading branch information
@eparis
eparis committed Sep 30, 2014
1 parent f178ada commit 6849da3
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 23 deletions.
3 changes: 1 addition & 2 deletions etcd.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,7 @@ kernel_read_net_sysctls(etcd_t)

corenet_tcp_bind_generic_node(etcd_t)

#corenet_tcp_bind_kubernetes_port(etcd_t)
corenet_tcp_bind_afs3_callback_port(etcd_t)
corenet_tcp_bind_kubernetes_port(etcd_t) # should be etcd_port, not kube

fs_getattr_xattr_fs(etcd_t)

Expand Down
28 changes: 22 additions & 6 deletions kubernetes-selinux.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,29 @@
%define interface_dir %{_datadir}/selinux/devel/include/contrib
%define policy_dir %{_datadir}/selinux/packages

# We do this in post install and post uninstall phases
%define relabel_files() \
restorecon -R /usr/bin/kube-apiserver; \
restorecon -R /usr/bin/kubelet; \
%define relabel_kube_files() \
restorecon -R /usr/bin/kube-apiserver; \
restorecon -R /usr/bin/kube-controller-manager; \
restorecon -R /usr/bin/kube-scheduler; \
restorecon -R /usr/bin/kubelet; \
restorecon -R /usr/bin/kube-proxy; \
restorecon -R /usr/lib/systemd/system/kube-apiserver.service; \
restorecon -R /usr/lib/systemd/system/kube-proxy.service; \
restorecon -R /usr/lib/systemd/system/kubelet.service; \
restorecon -R /usr/lib/systemd/system/kube-controller-manager.service; \
restorecon -R /usr/lib/systemd/system/kube-scheduler.service; \
restorecon -R /usr/lib/systemd/system/kubelet.service; \
restorecon -R /usr/lib/systemd/system/kube-proxy.service; \
restorecon -R /var/lib/kubelet; \

%define relabel_etcd_files() \
restorecon -R /usr/bin/etcd; \
restorecon -R /usr/lib/systemd/system/etcd.service; \
restorecon -R /var/lib/etcd;

# We do this in post install and post uninstall phases
%define relabel_files() \
%relabel_kube_files \
%relabel_etcd_files

# Version of SELinux we were using
%define selinux_policyver 3.13.1-72.fc21

Expand Down Expand Up @@ -78,11 +88,17 @@ for modulename in %{modulenames}; do
%{_sbindir}/semodule -n -s %{selinuxtype} -i %{policy_dir}/${modulename}.pp
done

semanage port -n -m -t kubernetes_port_t -p tcp -r s0 8080
semanage port -n -m -t kubernetes_port_t -p tcp -r s0 10250-10252
semanage port -n -m -t kubernetes_port_t -p tcp -r s0 4001 #should be etcd_port_t
semanage port -n -m -t kubernetes_port_t -p tcp -r s0 7001 #should be etcd_port_t

if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
%relabel_files
fi


%postun
if [ $1 -eq 0 ]; then
for modulename in %{modulenames}; do
Expand Down
33 changes: 18 additions & 15 deletions kubernetes.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ attribute kubernetes_domain;
kubernetes_domain_template(kube_apiserver)
kubernetes_domain_template(kube_controller_manager)
kubernetes_domain_template(kube_proxy)
kubernetes_domain_template(kube_scheduler)
kubernetes_domain_template(kubelet)

permissive kube_apiserver_t;
Expand Down Expand Up @@ -39,26 +40,21 @@ allow kubernetes_domain self:tcp_socket create_stream_socket_perms;
kernel_read_unix_sysctls(kubernetes_domain)
kernel_read_net_sysctls(kubernetes_domain)

auth_read_passwd(kubernetes_domain)
#auth_read_passwd(kubernetes_domain)

corenet_tcp_bind_generic_node(kubernetes_domain)

corenet_tcp_bind_kubernetes_port(kubernetes_domain)

corenet_tcp_connect_http_cache_port(kubernetes_domain)
#corenet_tcp_connect_kubernetes_port(kubernetes_domain)
corenet_tcp_connect_kubernetes_port(kubernetes_domain)

########################################
#
# kubelet local policy
# kube_apiserver local policy
#

allow kubelet_t self:capability net_admin;

manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir)

#corenet_tcp_bind_kubernetes_port(kubelet_t)
sysnet_dns_name_resolve(kube_apiserver_t)
dev_read_urand(kube_apiserver_t)

########################################
#
Expand All @@ -68,14 +64,21 @@ files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir)

########################################
#
# kube_apiserver local policy
# kubelet local policy
#

corenet_tcp_bind_http_cache_port(kube_apiserver_t)
allow kubelet_t self:capability net_admin;

manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir)

docker_stream_connect(kubelet_t)

########################################
#
# kube_proxy local policy
#

allow kube_proxy_t self:capability net_admin;
allow kube_scheduler_t self:capability net_admin;

1 comment on commit 6849da3

@mgrepl
Copy link

@mgrepl mgrepl commented on 6849da3 Oct 1, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+semanage port -n -m -t kubernetes_port_t -p tcp -r s0 8080

8080 is http_cache_port_t by default and it is used by another domains. I would leave this modification. Of course you can keep it for testing. The same for tcp/7001.

Please sign in to comment.