*** Wartungsfenster jeden ersten Mittwoch vormittag im Monat ***

Skip to content
Snippets Groups Projects
Commit ffd44e64 authored by Lahmer, Thomas's avatar Lahmer, Thomas
Browse files

removed unnecessary selinux rules

added rke2 selinux rule
parent af2eb97c
No related branches found
No related tags found
1 merge request!1Restore main as the default branch
(block my-hubble
(blockinherit container)
(allow container_runtime_t init_t (bpf (prog_run)))
)
(block my-kube-apiserver
(blockinherit container)
(allow rke2_service_t container_var_lib_t (file (watch)))
)
(block my-node-exporter (block my-node-exporter
(blockinherit container) (blockinherit container)
(allow container_t init_t (dir (search))) (allow my-node-exporter.process init_t (dir (search)))
(allow container_t init_t (file (read open))) (allow my-node-exporter.process init_t (file (read open)))
(allow my-node-exporter.process node_t (tcp_socket (node_bind))) (allow my-node-exporter.process node_t (tcp_socket (node_bind)))
(allow my-node-exporter.process unreserved_port_t (tcp_socket (name_bind))) (allow my-node-exporter.process unreserved_port_t (tcp_socket (name_bind)))
(allow my-node-exporter.process self (tcp_socket (listen))) (allow my-node-exporter.process self (tcp_socket (listen)))
......
(block my-openstack-ccm
(blockinherit container)
(allow my-openstack-ccm.process commplex_main_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process node_t (tcp_socket (node_bind)))
(allow my-openstack-ccm.process unreserved_port_t (tcp_socket (name_bind)))
(allow my-openstack-ccm.process self (tcp_socket (listen)))
(allow my-openstack-ccm.process http_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process osapi_compute_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process neutron_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process cert_t (dir (read)))
(allow my-openstack-ccm.process cert_t (lnk_file (read)))
(allow my-openstack-ccm.process cert_t (file (open read write)))
)
(block my-openstack
(blockinherit container)
(allow container_t cert_t (dir (read)))
(allow container_t cert_t (lnk_file read)))
(allow container_t cert_t (file (open read write)))
)
module my-rke2 1.0;
require {
type container_var_lib_t;
type rke2_service_t;
class file watch;
}
#============= rke2_service_t ==============
allow rke2_service_t container_var_lib_t:file watch;
...@@ -36,3 +36,17 @@ ...@@ -36,3 +36,17 @@
file: file:
path: /tmp/rke2.sh path: /tmp/rke2.sh
state: absent state: absent
- name: Copy SELinux Policies (rke2)
template:
src: ../selinux/my-rke2.te
dest: /etc/selinux/targeted/policy/my-rke2.te
when: ( 'control-plane' in group_names )
- name: Build SELinux exception module (rke2)
shell: |
checkmodule -M -m -o /etc/selinux/targeted/policy/my-rke2.mod /etc/selinux/targeted/policy/my-rke2.te
semodule_package -o /etc/selinux/targeted/policy/my-rke2.pp -m /etc/selinux/targeted/policy/my-rke2.mod
semodule -i /etc/selinux/targeted/policy/my-rke2.pp
when: ( 'control-plane' in group_names )
...@@ -72,10 +72,15 @@ ...@@ -72,10 +72,15 @@
/usr/sbin/pvresize -y -q /dev/vda2 /usr/sbin/pvresize -y -q /dev/vda2
/usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root /usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root
- name: Copy udica Base Container SELinux Policies
template:
src: ../selinux/udica/base-container.cil
dest: /etc/selinux/targeted/policy/base-container.cil
- name: Copy SELinux Policies (prometheus/node_exporter) - name: Copy SELinux Policies (prometheus/node_exporter)
template: template:
src: ../selinux/my-node-exporter.cil src: ../selinux/my-node-exporter.cil
dest: /etc/selinux/targeted/policy/my-noe-exporter.cil dest: /etc/selinux/targeted/policy/my-node-exporter.cil
- name: Copy SELinux Policies (prometheus/node_exporter) - name: Copy SELinux Policies (prometheus/node_exporter)
template: template:
...@@ -84,8 +89,18 @@ ...@@ -84,8 +89,18 @@
- name: Copy SELinux Policies - name: Copy SELinux Policies
template: template:
src: ../selinux/my-openstack.cil src: ../selinux/my-openstack-ccm.cil
dest: /etc/selinux/targeted/policy/my-openstack.cil dest: /etc/selinux/targeted/policy/my-openstack-ccm.cil
when: ( 'control-plane' in group_names )
- name: Build SELinux exception modules
shell: |
semodule -i /etc/selinux/targeted/policy/my-node-exporter.cil /etc/selinux/targeted/policy/base-container.cil
- name: Build SELinux exception modules
shell: |
semodule -i /etc/selinux/targeted/policy/my-openstack-ccm.cil /etc/selinux/targeted/policy/base-container.cil
when: ( 'control-plane' in group_names )
- name: Disable SELinux - name: Disable SELinux
selinux: selinux:
......
...@@ -55,4 +55,9 @@ spec: ...@@ -55,4 +55,9 @@ spec:
{#resources: {#resources:
# requests: # requests:
# cpu: 200m # cpu: 200m
#} #}
\ No newline at end of file
securityContext:
seLinuxOptions:
type: my-openstack-ccm.process
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment