*** Wartungsfenster jeden ersten Mittwoch vormittag im Monat ***

Skip to content
Snippets Groups Projects
Commit ffd44e64 authored by Lahmer, Thomas's avatar Lahmer, Thomas
Browse files

removed unnecessary selinux rules 

added rke2 selinux rule
parent af2eb97c
No related branches found
No related tags found
1 merge request!1Restore main as the default branch
Hide whitespace changes
Inline Side-by-side
Showing
with 65 additions and 20 deletions
roles/rke2/selinux/my-hubble.cil deleted 100644 → 0
+ 0
4
View file @ af2eb97c
(block my-hubble
(blockinherit container)
(allow container_runtime_t init_t (bpf (prog_run)))
)
roles/rke2/selinux/my-kube-apiserver.cil deleted 100644 → 0
+ 0
4
View file @ af2eb97c
(block my-kube-apiserver
(blockinherit container)
(allow rke2_service_t container_var_lib_t (file (watch)))
)
roles/rke2/selinux/my-node-exporter.cil
+ 2
2
View file @ ffd44e64
(block my-node-exporter (block my-node-exporter
(blockinherit container) (blockinherit container)
(allow container_t init_t (dir (search))) (allow my-node-exporter.process init_t (dir (search)))
(allow container_t init_t (file (read open))) (allow my-node-exporter.process init_t (file (read open)))
(allow my-node-exporter.process node_t (tcp_socket (node_bind))) (allow my-node-exporter.process node_t (tcp_socket (node_bind)))
(allow my-node-exporter.process unreserved_port_t (tcp_socket (name_bind))) (allow my-node-exporter.process unreserved_port_t (tcp_socket (name_bind)))
(allow my-node-exporter.process self (tcp_socket (listen))) (allow my-node-exporter.process self (tcp_socket (listen)))
......
roles/rke2/selinux/my-openstack-ccm.cil 0 → 100644
+ 14
0
View file @ ffd44e64
(block my-openstack-ccm
(blockinherit container)
(allow my-openstack-ccm.process commplex_main_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process node_t (tcp_socket (node_bind)))
(allow my-openstack-ccm.process unreserved_port_t (tcp_socket (name_bind)))
(allow my-openstack-ccm.process self (tcp_socket (listen)))
(allow my-openstack-ccm.process http_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process osapi_compute_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process neutron_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process cert_t (dir (read)))
(allow my-openstack-ccm.process cert_t (lnk_file (read)))
(allow my-openstack-ccm.process cert_t (file (open read write)))
)
roles/rke2/selinux/my-openstack.cil deleted 100644 → 0
+ 0
6
View file @ af2eb97c
(block my-openstack
(blockinherit container)
(allow container_t cert_t (dir (read)))
(allow container_t cert_t (lnk_file read)))
(allow container_t cert_t (file (open read write)))
)
roles/rke2/selinux/my-rke2.te 0 → 100644
+ 11
0
View file @ ffd44e64
module my-rke2 1.0;
require {
type container_var_lib_t;
type rke2_service_t;
class file watch;
}
#============= rke2_service_t ==============
allow rke2_service_t container_var_lib_t:file watch;
roles/rke2/tasks/install_rke2.yml
+ 14
0
View file @ ffd44e64
...@@ -36,3 +36,17 @@ ...@@ -36,3 +36,17 @@
file: file:
path: /tmp/rke2.sh path: /tmp/rke2.sh
state: absent state: absent
- name: Copy SELinux Policies (rke2)
template:
src: ../selinux/my-rke2.te
dest: /etc/selinux/targeted/policy/my-rke2.te
when: ( 'control-plane' in group_names )
- name: Build SELinux exception module (rke2)
shell: |
checkmodule -M -m -o /etc/selinux/targeted/policy/my-rke2.mod /etc/selinux/targeted/policy/my-rke2.te
semodule_package -o /etc/selinux/targeted/policy/my-rke2.pp -m /etc/selinux/targeted/policy/my-rke2.mod
semodule -i /etc/selinux/targeted/policy/my-rke2.pp
when: ( 'control-plane' in group_names )
roles/rke2/tasks/setup_host.yml
+ 18
3
View file @ ffd44e64
...@@ -72,10 +72,15 @@ ...@@ -72,10 +72,15 @@
/usr/sbin/pvresize -y -q /dev/vda2 /usr/sbin/pvresize -y -q /dev/vda2
/usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root /usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root
- name: Copy udica Base Container SELinux Policies
template:
src: ../selinux/udica/base-container.cil
dest: /etc/selinux/targeted/policy/base-container.cil
- name: Copy SELinux Policies (prometheus/node_exporter) - name: Copy SELinux Policies (prometheus/node_exporter)
template: template:
src: ../selinux/my-node-exporter.cil src: ../selinux/my-node-exporter.cil
dest: /etc/selinux/targeted/policy/my-noe-exporter.cil dest: /etc/selinux/targeted/policy/my-node-exporter.cil
- name: Copy SELinux Policies (prometheus/node_exporter) - name: Copy SELinux Policies (prometheus/node_exporter)
template: template:
...@@ -84,8 +89,18 @@ ...@@ -84,8 +89,18 @@
- name: Copy SELinux Policies - name: Copy SELinux Policies
template: template:
src: ../selinux/my-openstack.cil src: ../selinux/my-openstack-ccm.cil
dest: /etc/selinux/targeted/policy/my-openstack.cil dest: /etc/selinux/targeted/policy/my-openstack-ccm.cil
when: ( 'control-plane' in group_names )
- name: Build SELinux exception modules
shell: |
semodule -i /etc/selinux/targeted/policy/my-node-exporter.cil /etc/selinux/targeted/policy/base-container.cil
- name: Build SELinux exception modules
shell: |
semodule -i /etc/selinux/targeted/policy/my-openstack-ccm.cil /etc/selinux/targeted/policy/base-container.cil
when: ( 'control-plane' in group_names )
- name: Disable SELinux - name: Disable SELinux
selinux: selinux:
......
roles/rke2/templates/manifests/deploy-openstack-ccm.j2
+ 6
1
View file @ ffd44e64
...@@ -55,4 +55,9 @@ spec: ...@@ -55,4 +55,9 @@ spec:
{#resources: {#resources:
# requests: # requests:
# cpu: 200m # cpu: 200m
#} #}
\ No newline at end of file
securityContext:
seLinuxOptions:
type: my-openstack-ccm.process
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

[ 17.Mar 7h : 3,686 users | 903 groups | 4,945 projects ]