├── .drone.yml ├── .github └── dependabot.yml ├── .gitignore ├── Dockerfile.centos7.dapper ├── Dockerfile.centos8.dapper ├── Dockerfile.centos9.dapper ├── Dockerfile.coreos.dapper ├── Dockerfile.microos.dapper ├── Dockerfile.slemicro.dapper ├── LICENSE ├── Makefile ├── README.md ├── policy ├── centos7 │ ├── k3s-selinux.spec │ ├── k3s.fc │ ├── k3s.if │ ├── k3s.te │ └── scripts │ │ ├── build │ │ ├── entry │ │ ├── sign │ │ ├── upload-repo │ │ └── version ├── centos8 │ ├── k3s-selinux.spec │ ├── k3s.fc │ ├── k3s.if │ ├── k3s.te │ └── scripts │ │ ├── build │ │ ├── entry │ │ ├── sign │ │ ├── upload-repo │ │ └── version ├── centos9 │ ├── k3s-selinux.spec │ ├── k3s.fc │ ├── k3s.if │ ├── k3s.te │ └── scripts │ │ ├── build │ │ ├── entry │ │ ├── sign │ │ ├── upload-repo │ │ └── version ├── coreos │ ├── k3s-selinux.spec │ ├── k3s.fc │ ├── k3s.if │ ├── k3s.te │ └── scripts │ │ ├── build │ │ ├── entry │ │ ├── sign │ │ ├── upload-repo │ │ └── version ├── microos │ ├── k3s-selinux.spec │ ├── k3s.fc │ ├── k3s.if │ ├── k3s.te │ └── scripts │ │ ├── build │ │ ├── entry │ │ ├── sign │ │ ├── upload-repo │ │ └── version └── slemicro │ ├── k3s-selinux.spec │ ├── k3s.fc │ ├── k3s.if │ ├── k3s.te │ └── scripts │ ├── build │ ├── entry │ ├── sign │ ├── upload-repo │ └── version └── test ├── centos8 └── Vagrantfile └── fedora34 └── Vagrantfile /.drone.yml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: pipeline 3 | name: RPM Build EL7 4 | 5 | platform: 6 | os: linux 7 | arch: amd64 8 | 9 | steps: 10 | - name: Build EL7 11 | image: rancher/dapper:v0.6.0 12 | commands: 13 | - dapper -f Dockerfile.centos7.dapper ./policy/centos7/scripts/build 14 | volumes: 15 | - name: docker 16 | path: /var/run/docker.sock 17 | 18 | - name: Sign RPM EL7 19 | image: rancher/dapper:v0.6.0 20 | environment: 21 | PRIVATE_KEY: 22 | from_secret: private_key 23 | PRIVATE_KEY_PASS_PHRASE: 24 | from_secret: private_key_pass_phrase 25 | TESTING_PRIVATE_KEY: 26 | from_secret: testing_private_key 27 | TESTING_PRIVATE_KEY_PASS_PHRASE: 28 | from_secret: testing_private_key_pass_phrase 29 | commands: 30 | - dapper -f Dockerfile.centos7.dapper ./policy/centos7/scripts/sign 31 | volumes: 32 | - name: docker 33 | path: /var/run/docker.sock 34 | when: 35 | instance: 36 | - drone-publish.k3s.io 37 | ref: 38 | - refs/head/master 39 | - refs/tags/* 40 | event: 41 | - tag 42 | 43 | - name: Yum Repo Upload EL7 44 | image: rancher/dapper:v0.6.0 45 | environment: 46 | AWS_S3_BUCKET: 47 | from_secret: aws_s3_bucket 48 | AWS_ACCESS_KEY_ID: 49 | from_secret: aws_access_key_id 50 | AWS_SECRET_ACCESS_KEY: 51 | from_secret: aws_secret_access_key 52 | TESTING_AWS_S3_BUCKET: 53 | from_secret: testing_aws_s3_bucket 54 | TESTING_AWS_ACCESS_KEY_ID: 55 | from_secret: testing_aws_access_key_id 56 | TESTING_AWS_SECRET_ACCESS_KEY: 57 | from_secret: testing_aws_secret_access_key 58 | commands: 59 | - dapper -f Dockerfile.centos7.dapper ./policy/centos7/scripts/upload-repo 60 | volumes: 61 | - name: docker 62 | path: /var/run/docker.sock 63 | when: 64 | instance: 65 | - drone-publish.k3s.io 66 | ref: 67 | - refs/head/master 68 | - refs/tags/* 69 | event: 70 | - tag 71 | 72 | - name: GitHub Release EL7 73 | image: plugins/github-release 74 | settings: 75 | api_key: 76 | from_secret: github_token 77 | prerelease: true 78 | checksum: 79 | - sha256 80 | checksum_file: CHECKSUMsum-centos7-noarch.txt 81 | checksum_flatten: true 82 | files: 83 | - "dist/centos7/**/*.rpm" 84 | when: 85 | instance: 86 | - drone-publish.k3s.io 87 | ref: 88 | - refs/head/master 89 | - refs/tags/* 90 | event: 91 | - tag 92 | 93 | volumes: 94 | - name: docker 95 | host: 96 | path: /var/run/docker.sock 97 | --- 98 | kind: pipeline 99 | name: RPM Build EL8 100 | 101 | platform: 102 | os: linux 103 | arch: amd64 104 | 105 | steps: 106 | - name: Build EL8 107 | image: rancher/dapper:v0.6.0 108 | commands: 109 | - dapper -f Dockerfile.centos8.dapper ./policy/centos8/scripts/build 110 | volumes: 111 | - name: docker 112 | path: /var/run/docker.sock 113 | 114 | - name: Sign RPM EL8 115 | image: rancher/dapper:v0.6.0 116 | environment: 117 | PRIVATE_KEY: 118 | from_secret: private_key 119 | PRIVATE_KEY_PASS_PHRASE: 120 | from_secret: private_key_pass_phrase 121 | TESTING_PRIVATE_KEY: 122 | from_secret: testing_private_key 123 | TESTING_PRIVATE_KEY_PASS_PHRASE: 124 | from_secret: testing_private_key_pass_phrase 125 | commands: 126 | - dapper -f Dockerfile.centos7.dapper ./policy/centos8/scripts/sign 127 | volumes: 128 | - name: docker 129 | path: /var/run/docker.sock 130 | when: 131 | instance: 132 | - drone-publish.k3s.io 133 | ref: 134 | - refs/head/master 135 | - refs/tags/* 136 | event: 137 | - tag 138 | 139 | - name: Yum Repo Upload EL8 140 | image: rancher/dapper:v0.6.0 141 | environment: 142 | AWS_S3_BUCKET: 143 | from_secret: aws_s3_bucket 144 | AWS_ACCESS_KEY_ID: 145 | from_secret: aws_access_key_id 146 | AWS_SECRET_ACCESS_KEY: 147 | from_secret: aws_secret_access_key 148 | TESTING_AWS_S3_BUCKET: 149 | from_secret: testing_aws_s3_bucket 150 | TESTING_AWS_ACCESS_KEY_ID: 151 | from_secret: testing_aws_access_key_id 152 | TESTING_AWS_SECRET_ACCESS_KEY: 153 | from_secret: testing_aws_secret_access_key 154 | commands: 155 | - dapper -f Dockerfile.centos7.dapper ./policy/centos8/scripts/upload-repo 156 | volumes: 157 | - name: docker 158 | path: /var/run/docker.sock 159 | when: 160 | instance: 161 | - drone-publish.k3s.io 162 | ref: 163 | - refs/head/master 164 | - refs/tags/* 165 | event: 166 | - tag 167 | 168 | - name: GitHub Release EL8 169 | image: plugins/github-release 170 | settings: 171 | api_key: 172 | from_secret: github_token 173 | prerelease: true 174 | checksum: 175 | - sha256 176 | checksum_file: CHECKSUMsum-centos8-noarch.txt 177 | checksum_flatten: true 178 | files: 179 | - "dist/centos8/**/*.rpm" 180 | when: 181 | instance: 182 | - drone-publish.k3s.io 183 | ref: 184 | - refs/head/master 185 | - refs/tags/* 186 | event: 187 | - tag 188 | 189 | volumes: 190 | - name: docker 191 | host: 192 | path: /var/run/docker.sock 193 | --- 194 | kind: pipeline 195 | name: RPM Build SLE Micro 196 | 197 | platform: 198 | os: linux 199 | arch: amd64 200 | 201 | steps: 202 | - name: Build SLE Micro 203 | image: rancher/dapper:v0.6.0 204 | commands: 205 | - dapper -f Dockerfile.slemicro.dapper ./policy/slemicro/scripts/build 206 | volumes: 207 | - name: docker 208 | path: /var/run/docker.sock 209 | 210 | - name: Sign RPM SLE 211 | image: rancher/dapper:v0.6.0 212 | environment: 213 | PRIVATE_KEY: 214 | from_secret: private_key 215 | PRIVATE_KEY_PASS_PHRASE: 216 | from_secret: private_key_pass_phrase 217 | TESTING_PRIVATE_KEY: 218 | from_secret: testing_private_key 219 | TESTING_PRIVATE_KEY_PASS_PHRASE: 220 | from_secret: testing_private_key_pass_phrase 221 | commands: 222 | - dapper -f Dockerfile.centos7.dapper ./policy/slemicro/scripts/sign 223 | volumes: 224 | - name: docker 225 | path: /var/run/docker.sock 226 | when: 227 | instance: 228 | - drone-publish.k3s.io 229 | ref: 230 | - refs/head/master 231 | - refs/tags/* 232 | event: 233 | - tag 234 | 235 | - name: Yum Repo Upload SLE Micro 236 | image: rancher/dapper:v0.6.0 237 | environment: 238 | AWS_S3_BUCKET: 239 | from_secret: aws_s3_bucket 240 | AWS_ACCESS_KEY_ID: 241 | from_secret: aws_access_key_id 242 | AWS_SECRET_ACCESS_KEY: 243 | from_secret: aws_secret_access_key 244 | TESTING_AWS_S3_BUCKET: 245 | from_secret: testing_aws_s3_bucket 246 | TESTING_AWS_ACCESS_KEY_ID: 247 | from_secret: testing_aws_access_key_id 248 | TESTING_AWS_SECRET_ACCESS_KEY: 249 | from_secret: testing_aws_secret_access_key 250 | commands: 251 | - dapper -f Dockerfile.centos7.dapper ./policy/slemicro/scripts/upload-repo 252 | volumes: 253 | - name: docker 254 | path: /var/run/docker.sock 255 | when: 256 | instance: 257 | - drone-publish.k3s.io 258 | ref: 259 | - refs/head/master 260 | - refs/tags/* 261 | event: 262 | - tag 263 | 264 | - name: GitHub Release SLE Micro 265 | image: plugins/github-release 266 | settings: 267 | api_key: 268 | from_secret: github_token 269 | prerelease: true 270 | checksum: 271 | - sha256 272 | checksum_file: CHECKSUMsum-slemicro-noarch.txt 273 | checksum_flatten: true 274 | files: 275 | - "dist/slemicro/**/*.rpm" 276 | when: 277 | instance: 278 | - drone-publish.k3s.io 279 | ref: 280 | - refs/head/master 281 | - refs/tags/* 282 | event: 283 | - tag 284 | 285 | volumes: 286 | - name: docker 287 | host: 288 | path: /var/run/docker.sock 289 | 290 | --- 291 | kind: pipeline 292 | name: RPM Build Microos 293 | 294 | platform: 295 | os: linux 296 | arch: amd64 297 | 298 | steps: 299 | - name: Build MicroOS 300 | image: rancher/dapper:v0.6.0 301 | commands: 302 | - dapper -f Dockerfile.microos.dapper ./policy/microos/scripts/build 303 | volumes: 304 | - name: docker 305 | path: /var/run/docker.sock 306 | 307 | - name: Sign RPM MicroOS 308 | image: rancher/dapper:v0.6.0 309 | environment: 310 | PRIVATE_KEY: 311 | from_secret: private_key 312 | PRIVATE_KEY_PASS_PHRASE: 313 | from_secret: private_key_pass_phrase 314 | TESTING_PRIVATE_KEY: 315 | from_secret: testing_private_key 316 | TESTING_PRIVATE_KEY_PASS_PHRASE: 317 | from_secret: testing_private_key_pass_phrase 318 | commands: 319 | - dapper -f Dockerfile.centos7.dapper ./policy/microos/scripts/sign 320 | volumes: 321 | - name: docker 322 | path: /var/run/docker.sock 323 | when: 324 | instance: 325 | - drone-publish.k3s.io 326 | ref: 327 | - refs/head/master 328 | - refs/tags/* 329 | event: 330 | - tag 331 | 332 | - name: Yum Repo Upload MicroOS 333 | image: rancher/dapper:v0.6.0 334 | environment: 335 | AWS_S3_BUCKET: 336 | from_secret: aws_s3_bucket 337 | AWS_ACCESS_KEY_ID: 338 | from_secret: aws_access_key_id 339 | AWS_SECRET_ACCESS_KEY: 340 | from_secret: aws_secret_access_key 341 | TESTING_AWS_S3_BUCKET: 342 | from_secret: testing_aws_s3_bucket 343 | TESTING_AWS_ACCESS_KEY_ID: 344 | from_secret: testing_aws_access_key_id 345 | TESTING_AWS_SECRET_ACCESS_KEY: 346 | from_secret: testing_aws_secret_access_key 347 | commands: 348 | - dapper -f Dockerfile.centos7.dapper ./policy/microos/scripts/upload-repo 349 | volumes: 350 | - name: docker 351 | path: /var/run/docker.sock 352 | when: 353 | instance: 354 | - drone-publish.k3s.io 355 | ref: 356 | - refs/head/master 357 | - refs/tags/* 358 | event: 359 | - tag 360 | 361 | - name: GitHub Release MicroOS 362 | image: plugins/github-release 363 | settings: 364 | api_key: 365 | from_secret: github_token 366 | prerelease: true 367 | checksum: 368 | - sha256 369 | checksum_file: CHECKSUMsum-microos-noarch.txt 370 | checksum_flatten: true 371 | files: 372 | - "dist/microos/**/*.rpm" 373 | when: 374 | instance: 375 | - drone-publish.k3s.io 376 | ref: 377 | - refs/head/master 378 | - refs/tags/* 379 | event: 380 | - tag 381 | 382 | volumes: 383 | - name: docker 384 | host: 385 | path: /var/run/docker.sock 386 | 387 | --- 388 | kind: pipeline 389 | name: RPM Build Fedora CoreOS 390 | 391 | platform: 392 | os: linux 393 | arch: amd64 394 | 395 | steps: 396 | - name: Build Fedora CoreOS 397 | image: rancher/dapper:v0.6.0 398 | commands: 399 | - dapper -f Dockerfile.coreos.dapper ./policy/coreos/scripts/build 400 | volumes: 401 | - name: docker 402 | path: /var/run/docker.sock 403 | 404 | - name: Sign RPM Fedora CoreOS 405 | image: rancher/dapper:v0.6.0 406 | environment: 407 | PRIVATE_KEY: 408 | from_secret: private_key 409 | PRIVATE_KEY_PASS_PHRASE: 410 | from_secret: private_key_pass_phrase 411 | TESTING_PRIVATE_KEY: 412 | from_secret: testing_private_key 413 | TESTING_PRIVATE_KEY_PASS_PHRASE: 414 | from_secret: testing_private_key_pass_phrase 415 | commands: 416 | - dapper -f Dockerfile.centos7.dapper ./policy/coreos/scripts/sign 417 | volumes: 418 | - name: docker 419 | path: /var/run/docker.sock 420 | when: 421 | instance: 422 | - drone-publish.k3s.io 423 | ref: 424 | - refs/head/master 425 | - refs/tags/* 426 | event: 427 | - tag 428 | 429 | - name: Yum Repo Upload Fedora CoreOS 430 | image: rancher/dapper:v0.6.0 431 | environment: 432 | AWS_S3_BUCKET: 433 | from_secret: aws_s3_bucket 434 | AWS_ACCESS_KEY_ID: 435 | from_secret: aws_access_key_id 436 | AWS_SECRET_ACCESS_KEY: 437 | from_secret: aws_secret_access_key 438 | TESTING_AWS_S3_BUCKET: 439 | from_secret: testing_aws_s3_bucket 440 | TESTING_AWS_ACCESS_KEY_ID: 441 | from_secret: testing_aws_access_key_id 442 | TESTING_AWS_SECRET_ACCESS_KEY: 443 | from_secret: testing_aws_secret_access_key 444 | commands: 445 | - dapper -f Dockerfile.centos7.dapper ./policy/coreos/scripts/upload-repo 446 | volumes: 447 | - name: docker 448 | path: /var/run/docker.sock 449 | when: 450 | instance: 451 | - drone-publish.k3s.io 452 | ref: 453 | - refs/head/master 454 | - refs/tags/* 455 | event: 456 | - tag 457 | 458 | - name: GitHub Release Fedora CoreOS 459 | image: plugins/github-release 460 | settings: 461 | api_key: 462 | from_secret: github_token 463 | prerelease: true 464 | checksum: 465 | - sha256 466 | checksum_file: CHECKSUMsum-coreos-noarch.txt 467 | checksum_flatten: true 468 | files: 469 | - "dist/coreos/**/*.rpm" 470 | when: 471 | instance: 472 | - drone-publish.k3s.io 473 | ref: 474 | - refs/head/master 475 | - refs/tags/* 476 | event: 477 | - tag 478 | 479 | volumes: 480 | - name: docker 481 | host: 482 | path: /var/run/docker.sock 483 | --- 484 | kind: pipeline 485 | name: RPM Build EL9 486 | 487 | platform: 488 | os: linux 489 | arch: amd64 490 | 491 | steps: 492 | - name: Build EL9 493 | image: rancher/dapper:v0.6.0 494 | commands: 495 | - dapper -f Dockerfile.centos9.dapper ./policy/centos9/scripts/build 496 | volumes: 497 | - name: docker 498 | path: /var/run/docker.sock 499 | 500 | - name: Sign RPM EL9 501 | image: rancher/dapper:v0.6.0 502 | environment: 503 | PRIVATE_KEY: 504 | from_secret: private_key 505 | PRIVATE_KEY_PASS_PHRASE: 506 | from_secret: private_key_pass_phrase 507 | TESTING_PRIVATE_KEY: 508 | from_secret: testing_private_key 509 | TESTING_PRIVATE_KEY_PASS_PHRASE: 510 | from_secret: testing_private_key_pass_phrase 511 | commands: 512 | - dapper -f Dockerfile.centos7.dapper ./policy/centos9/scripts/sign 513 | volumes: 514 | - name: docker 515 | path: /var/run/docker.sock 516 | when: 517 | instance: 518 | - drone-publish.k3s.io 519 | ref: 520 | - refs/head/master 521 | - refs/tags/* 522 | event: 523 | - tag 524 | 525 | - name: Yum Repo Upload EL9 526 | image: rancher/dapper:v0.6.0 527 | environment: 528 | AWS_S3_BUCKET: 529 | from_secret: aws_s3_bucket 530 | AWS_ACCESS_KEY_ID: 531 | from_secret: aws_access_key_id 532 | AWS_SECRET_ACCESS_KEY: 533 | from_secret: aws_secret_access_key 534 | TESTING_AWS_S3_BUCKET: 535 | from_secret: testing_aws_s3_bucket 536 | TESTING_AWS_ACCESS_KEY_ID: 537 | from_secret: testing_aws_access_key_id 538 | TESTING_AWS_SECRET_ACCESS_KEY: 539 | from_secret: testing_aws_secret_access_key 540 | commands: 541 | - dapper -f Dockerfile.centos7.dapper ./policy/centos9/scripts/upload-repo 542 | volumes: 543 | - name: docker 544 | path: /var/run/docker.sock 545 | when: 546 | instance: 547 | - drone-publish.k3s.io 548 | ref: 549 | - refs/head/master 550 | - refs/tags/* 551 | event: 552 | - tag 553 | 554 | - name: GitHub Release EL9 555 | image: plugins/github-release 556 | settings: 557 | api_key: 558 | from_secret: github_token 559 | prerelease: true 560 | checksum: 561 | - sha256 562 | checksum_file: CHECKSUMsum-centos9-noarch.txt 563 | checksum_flatten: true 564 | files: 565 | - "dist/centos9/**/*.rpm" 566 | when: 567 | instance: 568 | - drone-publish.k3s.io 569 | ref: 570 | - refs/head/master 571 | - refs/tags/* 572 | event: 573 | - tag 574 | 575 | volumes: 576 | - name: docker 577 | host: 578 | path: /var/run/docker.sock -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: 2 3 | updates: 4 | - package-ecosystem: "docker" 5 | directory: "/" 6 | reviewers: 7 | - "k3s-io/k3s-dev" 8 | schedule: 9 | interval: "monthly" 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /dist 2 | .dapper 3 | -------------------------------------------------------------------------------- /Dockerfile.centos7.dapper: -------------------------------------------------------------------------------- 1 | FROM centos:7 2 | 3 | RUN sed -i -e "s/mirrorlist.*//g" /etc/yum.repos.d/* 4 | RUN sed -i -e "s/#baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/linuxsoft.cern.ch\/centos-vault\//g" /etc/yum.repos.d/* 5 | 6 | RUN yum install -y epel-release \ 7 | && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils 8 | 9 | ENV DAPPER_SOURCE /source 10 | ENV DAPPER_OUTPUT ./dist 11 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY 12 | ENV HOME ${DAPPER_SOURCE} 13 | WORKDIR ${DAPPER_SOURCE} 14 | 15 | ENTRYPOINT ["./policy/centos7/scripts/entry"] 16 | -------------------------------------------------------------------------------- /Dockerfile.centos8.dapper: -------------------------------------------------------------------------------- 1 | FROM centos:8 2 | 3 | RUN find /etc/yum.repos.d -type f -name '*.repo' -exec \ 4 | sed -i -e '/mirrorlist.*/d' -e 's%#baseurl=http://mirror.centos.org%baseurl=http://vault.centos.org%g' {} \; 5 | RUN yum install -y epel-release \ 6 | && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils 7 | 8 | ENV DAPPER_SOURCE /source 9 | ENV DAPPER_OUTPUT ./dist 10 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG 11 | ENV HOME ${DAPPER_SOURCE} 12 | WORKDIR ${DAPPER_SOURCE} 13 | 14 | ENTRYPOINT ["./policy/centos8/scripts/entry"] 15 | -------------------------------------------------------------------------------- /Dockerfile.centos9.dapper: -------------------------------------------------------------------------------- 1 | FROM quay.io/centos/centos:stream9 2 | 3 | RUN yum install -y epel-release \ 4 | && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils 5 | 6 | ENV DAPPER_SOURCE /source 7 | ENV DAPPER_OUTPUT ./dist 8 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG 9 | ENV HOME ${DAPPER_SOURCE} 10 | WORKDIR ${DAPPER_SOURCE} 11 | 12 | ENTRYPOINT ["./policy/centos9/scripts/entry"] 13 | -------------------------------------------------------------------------------- /Dockerfile.coreos.dapper: -------------------------------------------------------------------------------- 1 | FROM fedora:37 2 | 3 | RUN find /etc/yum.repos.d -type f -name '*.repo' -exec \ 4 | sed -i -e '/mirrorlist.*/d' -e 's%#baseurl=http://mirror.centos.org%baseurl=http://vault.centos.org%g' {} \; 5 | RUN yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils 6 | 7 | ENV DAPPER_SOURCE /source 8 | ENV DAPPER_OUTPUT ./dist 9 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG 10 | ENV HOME ${DAPPER_SOURCE} 11 | WORKDIR ${DAPPER_SOURCE} 12 | 13 | ENTRYPOINT ["./policy/coreos/scripts/entry"] 14 | -------------------------------------------------------------------------------- /Dockerfile.microos.dapper: -------------------------------------------------------------------------------- 1 | ARG TUMBLEWEED=opensuse/tumbleweed 2 | FROM ${TUMBLEWEED} 3 | ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround 4 | RUN chmod +x /bin/clone3-workaround 5 | SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"] 6 | RUN zypper install -y container-selinux git rpm-build selinux-policy-devel 7 | 8 | 9 | ENV DAPPER_SOURCE /source 10 | ENV DAPPER_OUTPUT ./dist 11 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG 12 | ENV HOME ${DAPPER_SOURCE} 13 | WORKDIR ${DAPPER_SOURCE} 14 | 15 | ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"] 16 | -------------------------------------------------------------------------------- /Dockerfile.slemicro.dapper: -------------------------------------------------------------------------------- 1 | ARG TUMBLEWEED=opensuse/tumbleweed 2 | FROM ${TUMBLEWEED} 3 | ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround 4 | RUN chmod +x /bin/clone3-workaround 5 | SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"] 6 | RUN zypper install -y container-selinux git rpm-build selinux-policy-devel 7 | 8 | 9 | ENV DAPPER_SOURCE /source 10 | ENV DAPPER_OUTPUT ./dist 11 | ENV DAPPER_ENV COMBARCH DRONE_TAG TAG 12 | ENV HOME ${DAPPER_SOURCE} 13 | WORKDIR ${DAPPER_SOURCE} 14 | 15 | ENTRYPOINT ["clone3-workaround", "./policy/slemicro/scripts/entry"] 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | UPLOAD_TARGETS := $(addprefix upload-,$(shell ls policy/)) 2 | BUILD_TARGETS := $(addprefix build-,$(shell ls policy/)) 3 | SIGN_TARGETS := $(addprefix sign-,$(shell ls policy/)) 4 | .dapper: 5 | @echo Downloading dapper 6 | @curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp 7 | @@chmod +x .dapper.tmp 8 | @./.dapper.tmp -v 9 | @mv .dapper.tmp .dapper 10 | 11 | $(BUILD_TARGETS): .dapper 12 | ./.dapper -f Dockerfile.$(@:build-%=%).dapper ./policy/$(@:build-%=%)/scripts/build 13 | 14 | $(SIGN_TARGETS): .dapper 15 | ./.dapper -f Dockerfile.centos7.dapper ./policy/$(@:sign-%=%)/scripts/sign 16 | 17 | $(UPLOAD_TARGETS): .dapper 18 | ./.dapper -f Dockerfile.centos7.dapper ./policy/$(@:upload-%=%)/scripts/upload-repo 19 | 20 | clean: 21 | rm -rf dist/ Dockerfile.*.dapper[0-9]* 22 | 23 | .PHONY: $(UPLOAD_TARGETS) $(BUILD_TARGETS) $(SIGN_TARGETS) clean -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # k3s-selinux 2 | K3s selinux policy repository. 3 | 4 | ## Signing Keys 5 | 6 | - https://rpm.rancher.io/public.key 7 | - https://rpm-testing.rancher.io/public.key 8 | 9 | ## Versioning/Tagging 10 | 11 | The version parsing logic for `rancher/k3s-selinux` expects tags to be of a certain format (that directly correlates to RPM naming) 12 | 13 | The tag format should be as follows: `v{k3s-selinux-version}.{rpm channel}.{rpm release}` where 14 | 15 | k3s-selinux-version is like `0.1`, `0.2`, etc. 16 | rpm channel is like `testing`, `latest`, `stable` 17 | rpm release is like `1`, `2` 18 | 19 | rpm release should index from `1` for released RPM's 20 | 21 | The following list shows the expected tag to (example) transformation for RPM's 22 | 23 | |Tag|Tree State|Output RPM|RPM Channel|Notes| 24 | |:--|:---------|:---------|:----------|:----| 25 | | master (no tag) | Clean | `k3s-selinux-0.0~0d52f7d8-0.el7_8.noarch.rpm` | Testing || 26 | | master (no tag) | Dirty | `k3s-selinux-0.0~0d52f7d8-0.el7_8.noarch.rpm` | Testing || 27 | | v0.2.testing.1 | Clean | `k3s-selinux-0.2-1.el7_8.noarch.rpm` | Testing || 28 | | v0.2.latest.1 | Clean | `k3s-selinux-0.2-1.el7_8.noarch.rpm` | Latest || 29 | | v0.2.latest.2 | Clean | `k3s-selinux-0.2-2.el7_8.noarch.rpm` | Latest || 30 | -------------------------------------------------------------------------------- /policy/centos7/k3s-selinux.spec: -------------------------------------------------------------------------------- 1 | # vim: sw=4:ts=4:et 2 | 3 | %define k3s_relabel_files() \ 4 | mkdir -p /var/lib/cni; \ 5 | mkdir -p /var/lib/kubelet/pods; \ 6 | mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ 7 | mkdir -p /var/lib/rancher/k3s/data; \ 8 | mkdir -p /var/run/flannel; \ 9 | mkdir -p /var/run/k3s; \ 10 | restorecon -R -i /etc/systemd/system/k3s.service; \ 11 | restorecon -R -i /usr/lib/systemd/system/k3s.service; \ 12 | restorecon -R /var/lib/cni; \ 13 | restorecon -R /var/lib/kubelet; \ 14 | restorecon -R /var/lib/rancher; \ 15 | restorecon -R /var/run/k3s; \ 16 | restorecon -R /var/run/flannel 17 | 18 | %define selinux_policyver 3.13.1-252 19 | %define container_policyver 2.107-3 20 | %define container_policy_epoch 2 21 | %define container_policy_schism 2.164.2 22 | 23 | Name: k3s-selinux 24 | Version: %{k3s_selinux_version} 25 | Release: %{k3s_selinux_release}.el7 26 | Summary: SELinux policy module for k3s 27 | 28 | Group: System Environment/Base 29 | License: ASL 2.0 30 | URL: https://k3s.io 31 | Source0: k3s.pp 32 | Source1: k3s.if 33 | 34 | BuildArch: noarch 35 | BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver} 36 | BuildRequires: container-selinux < %{container_policy_epoch}:%{container_policy_schism} 37 | BuildRequires: git 38 | BuildRequires: selinux-policy >= %{selinux_policyver} 39 | BuildRequires: selinux-policy-devel >= %{selinux_policyver} 40 | 41 | Requires: policycoreutils, libselinux-utils 42 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils 43 | Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} 44 | Requires(post): container-selinux < %{container_policy_epoch}:%{container_policy_schism} 45 | Requires(postun): policycoreutils 46 | 47 | Provides: %{name} = %{version}-%{release} 48 | Obsoletes: k3s-selinux <= 0.5 49 | Conflicts: rke2-selinux 50 | 51 | %description 52 | This package installs and sets up the SELinux policy security module for k3s. 53 | 54 | %install 55 | install -d %{buildroot}%{_datadir}/selinux/packages 56 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages 57 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib 58 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ 59 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/ 60 | 61 | %pre 62 | %selinux_relabel_pre 63 | 64 | %post 65 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp 66 | if /usr/sbin/selinuxenabled ; then 67 | /usr/sbin/load_policy 68 | %k3s_relabel_files 69 | fi; 70 | 71 | %postun 72 | if [ $1 -eq 0 ]; then 73 | %selinux_modules_uninstall k3s 74 | fi; 75 | 76 | %posttrans 77 | %selinux_relabel_post 78 | 79 | %files 80 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp 81 | %{_datadir}/selinux/devel/include/contrib/k3s.if 82 | 83 | %changelog 84 | * Mon Feb 24 2020 Darren Shepherd 1.0-1 85 | - Initial version 86 | 87 | -------------------------------------------------------------------------------- /policy/centos7/k3s.fc: -------------------------------------------------------------------------------- 1 | # vim: sw=8:ts=8:et 2 | 3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 9 | /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 10 | /var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) 11 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0) 13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0) 14 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <> 15 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) 16 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0) 17 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0) 18 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0) 19 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0) 20 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0) 21 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 23 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 24 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 25 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 26 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0) 27 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0) 28 | /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) 29 | /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) 30 | /var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 31 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 32 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) 33 | -------------------------------------------------------------------------------- /policy/centos7/k3s.if: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | ## 3 | ## Creates types and rules for a k3s runtime domain. 4 | ## 5 | ## 6 | ## 7 | ## Prefix for the domain. 8 | ## 9 | ## 10 | # 11 | template(`k3s_runtime_domain_template',` 12 | gen_require(` 13 | attribute container_domain, exec_type; 14 | role system_r, sysadm_r; 15 | ') 16 | 17 | attribute $1_domain; 18 | type $1_t, $1_domain; 19 | role system_r types $1_t; 20 | role sysadm_r types $1_t; 21 | 22 | can_exec($1_t, exec_type) 23 | domain_type($1_t) 24 | domain_entry_file($1_domain, $1_t) 25 | 26 | admin_pattern(container_domain, $1_t) 27 | ') 28 | -------------------------------------------------------------------------------- /policy/centos7/k3s.te: -------------------------------------------------------------------------------- 1 | policy_module(k3s, 1.0.0) 2 | 3 | ##### type: k3s_data_t 4 | type k3s_data_t; 5 | files_type(k3s_data_t); 6 | 7 | ##### type: k3s_lock_t 8 | type k3s_lock_t; 9 | files_lock_file(k3s_lock_t); 10 | 11 | ##### type: k3s_root_t, attr: k3s_root_domain 12 | k3s_runtime_domain_template(k3s_root); 13 | 14 | gen_require(` 15 | attribute container_domain; 16 | type container_runtime_exec_t, container_runtime_t; 17 | type container_file_t, container_share_t; 18 | type container_var_lib_t, var_lib_t; 19 | type container_log_t, var_log_t; 20 | ') 21 | admin_pattern(container_domain, k3s_data_t) 22 | admin_pattern(container_domain, k3s_lock_t) 23 | files_lock_filetrans(container_domain, k3s_lock_t, { dir file }) 24 | filetrans_pattern(container_runtime_t, container_var_lib_t, k3s_data_t, dir, "data") 25 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_lock_t, file, ".lock") 26 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_root_t, dir, "bin") 27 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".links") 28 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".sha256sums") 29 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "cni") 30 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd") 31 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim") 32 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v1") 33 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v2") 34 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "runc") 35 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "storage") 36 | #filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, dir, "snapshots") 37 | filetrans_pattern(container_runtime_t, var_lib_t, container_var_lib_t, dir, "kubelet") 38 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "pods") 39 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "containers") 40 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "pods") 41 | -------------------------------------------------------------------------------- /policy/centos7/scripts/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | cd $(dirname $0)/.. 5 | . ./scripts/version 6 | 7 | make -f /usr/share/selinux/devel/Makefile k3s.pp 8 | 9 | rpmbuild \ 10 | --define "k3s_selinux_version ${RPM_VERSION}" \ 11 | --define "k3s_selinux_release ${RPM_RELEASE}" \ 12 | --define "_sourcedir $PWD" \ 13 | --define "_specdir $PWD" \ 14 | --define "_builddir $PWD" \ 15 | --define "_srcrpmdir ${PWD}/dist/source" \ 16 | --define "_buildrootdir $PWD/.build" \ 17 | --define "_rpmdir ${PWD}/dist" \ 18 | -ba k3s-selinux.spec 19 | 20 | #yum install -y dist/noarch/k3s-selinux-*.rpm 21 | #semodule --disable k3s 22 | #yum remove k3s-selinux 23 | mkdir -p /source/dist/centos7 24 | cp -r dist/* /source/dist/centos7 25 | -------------------------------------------------------------------------------- /policy/centos7/scripts/entry: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -ex 3 | 4 | if [ -e ./policy/centos7/scripts/"$1" ]; then 5 | ./policy/centos7/scripts/"$@" 6 | else 7 | exec "$@" 8 | fi 9 | 10 | if [ "$DAPPER_UID" -ne "-1" ]; then 11 | chown -R $DAPPER_UID:$DAPPER_GID . 12 | fi 13 | -------------------------------------------------------------------------------- /policy/centos7/scripts/sign: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | yum install -y rpm-sign expect git 5 | 6 | pushd $(dirname $0)/.. 7 | . ./scripts/version 8 | popd 9 | 10 | cat <<\EOF >~/.rpmmacros 11 | %_signature gpg 12 | %_gpg_name ci@rancher.com 13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} 14 | %_source_filedigest_algorithm 8 15 | %_binary_filedigest_algorithm 8 16 | EOF 17 | 18 | case "$RPM_CHANNEL" in 19 | "testing") 20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE 21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then 22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" 23 | exit 1 24 | fi 25 | gpg --import - <<<"$TESTING_PRIVATE_KEY" 26 | ;; 27 | "latest"|"stable") 28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then 29 | echo "PRIVATE_KEY not defined, failing rpm sign" 30 | exit 1 31 | fi 32 | gpg --import - <<<"$PRIVATE_KEY" 33 | ;; 34 | *) 35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" 36 | exit 1 37 | ;; 38 | esac 39 | 40 | expect <= %{container_policy_epoch}:%{container_policyver} 35 | BuildRequires: git 36 | BuildRequires: selinux-policy >= %{selinux_policyver} 37 | BuildRequires: selinux-policy-devel >= %{selinux_policyver} 38 | 39 | Requires: policycoreutils, libselinux-utils 40 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils 41 | Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} 42 | Requires(postun): policycoreutils 43 | 44 | Provides: %{name} = %{version}-%{release} 45 | Obsoletes: k3s-selinux <= 0.5 46 | Conflicts: rke2-selinux 47 | 48 | %description 49 | This package installs and sets up the SELinux policy security module for k3s. 50 | 51 | %install 52 | install -d %{buildroot}%{_datadir}/selinux/packages 53 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages 54 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib 55 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ 56 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/ 57 | 58 | %pre 59 | %selinux_relabel_pre 60 | 61 | %post 62 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp 63 | if /usr/sbin/selinuxenabled ; then 64 | /usr/sbin/load_policy 65 | %k3s_relabel_files 66 | fi; 67 | 68 | %postun 69 | if [ $1 -eq 0 ]; then 70 | %selinux_modules_uninstall k3s 71 | fi; 72 | 73 | %posttrans 74 | %selinux_relabel_post 75 | 76 | %files 77 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp 78 | %{_datadir}/selinux/devel/include/contrib/k3s.if 79 | 80 | %changelog 81 | * Mon Feb 24 2020 Darren Shepherd 1.0-1 82 | - Initial version 83 | 84 | -------------------------------------------------------------------------------- /policy/centos8/k3s.fc: -------------------------------------------------------------------------------- 1 | # vim: sw=8:ts=8:et 2 | 3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0) 11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0) 12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <> 13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) 14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0) 15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0) 16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0) 17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0) 18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0) 19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0) 25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0) 26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) 28 | -------------------------------------------------------------------------------- /policy/centos8/k3s.if: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | ## 3 | ## Creates types and rules for a k3s runtime domain. 4 | ## 5 | ## 6 | ## 7 | ## Prefix for the domain. 8 | ## 9 | ## 10 | # 11 | template(`k3s_runtime_domain_template',` 12 | gen_require(` 13 | attribute container_runtime_domain, exec_type; 14 | role system_r, sysadm_r; 15 | ') 16 | 17 | attribute $1_domain; 18 | type $1_t, $1_domain; 19 | role system_r types $1_t; 20 | role sysadm_r types $1_t; 21 | 22 | can_exec($1_t, exec_type) 23 | domain_type($1_t) 24 | domain_entry_file($1_domain, $1_t) 25 | 26 | admin_pattern(container_runtime_domain, $1_t) 27 | ') 28 | -------------------------------------------------------------------------------- /policy/centos8/k3s.te: -------------------------------------------------------------------------------- 1 | policy_module(k3s, 1.0.0) 2 | 3 | ##### type: k3s_data_t 4 | type k3s_data_t; 5 | files_type(k3s_data_t); 6 | 7 | ##### type: k3s_lock_t 8 | type k3s_lock_t; 9 | files_lock_file(k3s_lock_t) 10 | 11 | ##### type: k3s_root_t, attr: k3s_root_domain 12 | k3s_runtime_domain_template(k3s_root) 13 | 14 | gen_require(` 15 | attribute container_runtime_domain; 16 | type container_runtime_exec_t, container_runtime_t; 17 | type container_file_t, container_share_t; 18 | type container_var_lib_t, var_lib_t; 19 | type container_log_t, var_log_t; 20 | ') 21 | admin_pattern(container_runtime_domain, k3s_data_t) 22 | admin_pattern(container_runtime_domain, k3s_lock_t) 23 | files_lock_filetrans(container_runtime_domain, k3s_lock_t, { dir file }) 24 | filetrans_pattern(container_runtime_t, container_var_lib_t, k3s_data_t, dir, "data") 25 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_lock_t, file, ".lock") 26 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_root_t, dir, "bin") 27 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".links") 28 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".sha256sums") 29 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "cni") 30 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd") 31 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim") 32 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v1") 33 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v2") 34 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "runc") 35 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "storage") 36 | #filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "snapshots") 37 | filetrans_pattern(container_runtime_t, var_lib_t, container_var_lib_t, dir, "kubelet") 38 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "pods") 39 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "containers") 40 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "pods") 41 | -------------------------------------------------------------------------------- /policy/centos8/scripts/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | cd $(dirname $0)/.. 5 | . ./scripts/version 6 | 7 | make -f /usr/share/selinux/devel/Makefile k3s.pp 8 | 9 | rpmbuild \ 10 | --define "k3s_selinux_version ${RPM_VERSION}" \ 11 | --define "k3s_selinux_release ${RPM_RELEASE}" \ 12 | --define "_sourcedir $PWD" \ 13 | --define "_specdir $PWD" \ 14 | --define "_builddir $PWD" \ 15 | --define "_srcrpmdir ${PWD}/dist/source" \ 16 | --define "_buildrootdir $PWD/.build" \ 17 | --define "_rpmdir ${PWD}/dist" \ 18 | -ba k3s-selinux.spec 19 | 20 | #dnf install -y dist/noarch/k3s-selinux-*.rpm 21 | #semodule --disable k3s 22 | #dnf remove k3s-selinux 23 | mkdir -p /source/dist/centos8 24 | cp -r dist/* /source/dist/centos8 25 | -------------------------------------------------------------------------------- /policy/centos8/scripts/entry: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -ex 3 | 4 | if [ -e ./policy/centos8/scripts/"$1" ]; then 5 | ./policy/centos8/scripts/"$@" 6 | else 7 | exec "$@" 8 | fi 9 | 10 | if [ "$DAPPER_UID" -ne "-1" ]; then 11 | chown -R $DAPPER_UID:$DAPPER_GID . 12 | fi 13 | -------------------------------------------------------------------------------- /policy/centos8/scripts/sign: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | yum install -y rpm-sign expect git 5 | 6 | pushd $(dirname $0)/.. 7 | . ./scripts/version 8 | popd 9 | 10 | cat <<\EOF >~/.rpmmacros 11 | %_signature gpg 12 | %_gpg_name ci@rancher.com 13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} 14 | %_source_filedigest_algorithm 8 15 | %_binary_filedigest_algorithm 8 16 | EOF 17 | 18 | case "$RPM_CHANNEL" in 19 | "testing") 20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE 21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then 22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" 23 | exit 1 24 | fi 25 | gpg --import - <<<"$TESTING_PRIVATE_KEY" 26 | ;; 27 | "latest"|"stable") 28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then 29 | echo "PRIVATE_KEY not defined, failing rpm sign" 30 | exit 1 31 | fi 32 | gpg --import - <<<"$PRIVATE_KEY" 33 | ;; 34 | *) 35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" 36 | exit 1 37 | ;; 38 | esac 39 | 40 | expect <= %{container_policy_epoch}:%{container_policyver} 35 | BuildRequires: git 36 | BuildRequires: selinux-policy >= %{selinux_policyver} 37 | BuildRequires: selinux-policy-devel >= %{selinux_policyver} 38 | 39 | Requires: policycoreutils, libselinux-utils 40 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils 41 | Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} 42 | Requires(postun): policycoreutils 43 | 44 | Provides: %{name} = %{version}-%{release} 45 | Obsoletes: k3s-selinux <= 0.5 46 | Conflicts: rke2-selinux 47 | 48 | %description 49 | This package installs and sets up the SELinux policy security module for k3s. 50 | 51 | %install 52 | install -d %{buildroot}%{_datadir}/selinux/packages 53 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages 54 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib 55 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ 56 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/ 57 | 58 | %pre 59 | %selinux_relabel_pre 60 | 61 | %post 62 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp 63 | if /usr/sbin/selinuxenabled ; then 64 | /usr/sbin/load_policy 65 | %k3s_relabel_files 66 | fi; 67 | 68 | %postun 69 | if [ $1 -eq 0 ]; then 70 | %selinux_modules_uninstall k3s 71 | fi; 72 | 73 | %posttrans 74 | %selinux_relabel_post 75 | 76 | %files 77 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp 78 | %{_datadir}/selinux/devel/include/contrib/k3s.if 79 | 80 | %changelog 81 | * Mon Feb 24 2020 Darren Shepherd 1.0-1 82 | - Initial version 83 | 84 | -------------------------------------------------------------------------------- /policy/centos9/k3s.fc: -------------------------------------------------------------------------------- 1 | # vim: sw=8:ts=8:et 2 | 3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0) 11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0) 12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <> 13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) 14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0) 15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0) 16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0) 17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0) 18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0) 19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0) 25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0) 26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) 28 | -------------------------------------------------------------------------------- /policy/centos9/k3s.if: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | ## 3 | ## Creates types and rules for a k3s runtime domain. 4 | ## 5 | ## 6 | ## 7 | ## Prefix for the domain. 8 | ## 9 | ## 10 | # 11 | template(`k3s_runtime_domain_template',` 12 | gen_require(` 13 | attribute container_runtime_domain, exec_type; 14 | role system_r, sysadm_r; 15 | ') 16 | 17 | attribute $1_domain; 18 | type $1_t, $1_domain; 19 | role system_r types $1_t; 20 | role sysadm_r types $1_t; 21 | 22 | can_exec($1_t, exec_type) 23 | domain_type($1_t) 24 | domain_entry_file($1_domain, $1_t) 25 | 26 | admin_pattern(container_runtime_domain, $1_t) 27 | ') 28 | -------------------------------------------------------------------------------- /policy/centos9/k3s.te: -------------------------------------------------------------------------------- 1 | policy_module(k3s, 1.0.0) 2 | 3 | ##### type: k3s_data_t 4 | type k3s_data_t; 5 | files_type(k3s_data_t); 6 | 7 | ##### type: k3s_lock_t 8 | type k3s_lock_t; 9 | files_lock_file(k3s_lock_t) 10 | 11 | ##### type: k3s_root_t, attr: k3s_root_domain 12 | k3s_runtime_domain_template(k3s_root) 13 | 14 | gen_require(` 15 | attribute container_runtime_domain; 16 | type container_runtime_exec_t, container_runtime_t; 17 | type container_file_t, container_share_t; 18 | type container_var_lib_t, var_lib_t; 19 | type container_log_t, var_log_t; 20 | ') 21 | admin_pattern(container_runtime_domain, k3s_data_t) 22 | admin_pattern(container_runtime_domain, k3s_lock_t) 23 | files_lock_filetrans(container_runtime_domain, k3s_lock_t, { dir file }) 24 | filetrans_pattern(container_runtime_t, container_var_lib_t, k3s_data_t, dir, "data") 25 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_lock_t, file, ".lock") 26 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_root_t, dir, "bin") 27 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".links") 28 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".sha256sums") 29 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "cni") 30 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd") 31 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim") 32 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v1") 33 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v2") 34 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "runc") 35 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "storage") 36 | #filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "snapshots") 37 | filetrans_pattern(container_runtime_t, var_lib_t, container_var_lib_t, dir, "kubelet") 38 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "pods") 39 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "containers") 40 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "pods") 41 | -------------------------------------------------------------------------------- /policy/centos9/scripts/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | cd $(dirname $0)/.. 5 | . ./scripts/version 6 | 7 | make -f /usr/share/selinux/devel/Makefile k3s.pp 8 | 9 | rpmbuild \ 10 | --define "k3s_selinux_version ${RPM_VERSION}" \ 11 | --define "k3s_selinux_release ${RPM_RELEASE}" \ 12 | --define "_sourcedir $PWD" \ 13 | --define "_specdir $PWD" \ 14 | --define "_builddir $PWD" \ 15 | --define "_srcrpmdir ${PWD}/dist/source" \ 16 | --define "_buildrootdir $PWD/.build" \ 17 | --define "_rpmdir ${PWD}/dist" \ 18 | -ba k3s-selinux.spec 19 | 20 | #dnf install -y dist/noarch/k3s-selinux-*.rpm 21 | #semodule --disable k3s 22 | #dnf remove k3s-selinux 23 | mkdir -p /source/dist/centos9 24 | cp -r dist/* /source/dist/centos9 25 | -------------------------------------------------------------------------------- /policy/centos9/scripts/entry: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -ex 3 | 4 | if [ -e ./policy/centos9/scripts/"$1" ]; then 5 | ./policy/centos9/scripts/"$@" 6 | else 7 | exec "$@" 8 | fi 9 | 10 | if [ "$DAPPER_UID" -ne "-1" ]; then 11 | chown -R $DAPPER_UID:$DAPPER_GID . 12 | fi 13 | -------------------------------------------------------------------------------- /policy/centos9/scripts/sign: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | yum install -y rpm-sign expect git 5 | 6 | pushd $(dirname $0)/.. 7 | . ./scripts/version 8 | popd 9 | 10 | cat <<\EOF >~/.rpmmacros 11 | %_signature gpg 12 | %_gpg_name ci@rancher.com 13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} 14 | %_source_filedigest_algorithm 8 15 | %_binary_filedigest_algorithm 8 16 | EOF 17 | 18 | case "$RPM_CHANNEL" in 19 | "testing") 20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE 21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then 22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" 23 | exit 1 24 | fi 25 | gpg --import - <<<"$TESTING_PRIVATE_KEY" 26 | ;; 27 | "latest"|"stable") 28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then 29 | echo "PRIVATE_KEY not defined, failing rpm sign" 30 | exit 1 31 | fi 32 | gpg --import - <<<"$PRIVATE_KEY" 33 | ;; 34 | *) 35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" 36 | exit 1 37 | ;; 38 | esac 39 | 40 | expect <= %{container_policy_epoch}:%{container_policyver} 35 | BuildRequires: git 36 | BuildRequires: selinux-policy >= %{selinux_policyver} 37 | BuildRequires: selinux-policy-devel >= %{selinux_policyver} 38 | 39 | Requires: policycoreutils, libselinux-utils 40 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils 41 | Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} 42 | Requires(postun): policycoreutils 43 | 44 | Provides: %{name} = %{version}-%{release} 45 | Obsoletes: k3s-selinux <= 0.5 46 | Conflicts: rke2-selinux 47 | 48 | %description 49 | This package installs and sets up the SELinux policy security module for k3s. 50 | 51 | %install 52 | install -d %{buildroot}%{_datadir}/selinux/packages 53 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages 54 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib 55 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ 56 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/ 57 | 58 | %pre 59 | %selinux_relabel_pre 60 | 61 | %post 62 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp 63 | if /usr/sbin/selinuxenabled ; then 64 | /usr/sbin/load_policy 65 | %k3s_relabel_files 66 | fi; 67 | 68 | %postun 69 | if [ $1 -eq 0 ]; then 70 | %selinux_modules_uninstall k3s 71 | fi; 72 | 73 | %posttrans 74 | %selinux_relabel_post 75 | 76 | %files 77 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp 78 | %{_datadir}/selinux/devel/include/contrib/k3s.if 79 | 80 | %changelog 81 | * Mon Feb 24 2020 Darren Shepherd 1.0-1 82 | - Initial version 83 | 84 | -------------------------------------------------------------------------------- /policy/coreos/k3s.fc: -------------------------------------------------------------------------------- 1 | # vim: sw=8:ts=8:et 2 | 3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0) 11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0) 12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <> 13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) 14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0) 15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0) 16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0) 17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0) 18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0) 19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0) 25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0) 26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) 28 | -------------------------------------------------------------------------------- /policy/coreos/k3s.if: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | ## 3 | ## Creates types and rules for a k3s runtime domain. 4 | ## 5 | ## 6 | ## 7 | ## Prefix for the domain. 8 | ## 9 | ## 10 | # 11 | template(`k3s_runtime_domain_template',` 12 | gen_require(` 13 | attribute container_runtime_domain, exec_type; 14 | role system_r, sysadm_r; 15 | ') 16 | 17 | attribute $1_domain; 18 | type $1_t, $1_domain; 19 | role system_r types $1_t; 20 | role sysadm_r types $1_t; 21 | 22 | can_exec($1_t, exec_type) 23 | domain_type($1_t) 24 | domain_entry_file($1_domain, $1_t) 25 | 26 | admin_pattern(container_runtime_domain, $1_t) 27 | ') 28 | -------------------------------------------------------------------------------- /policy/coreos/k3s.te: -------------------------------------------------------------------------------- 1 | policy_module(k3s, 1.0.0) 2 | 3 | ##### type: k3s_data_t 4 | type k3s_data_t; 5 | files_type(k3s_data_t); 6 | 7 | ##### type: k3s_lock_t 8 | type k3s_lock_t; 9 | files_lock_file(k3s_lock_t) 10 | 11 | ##### type: k3s_root_t, attr: k3s_root_domain 12 | k3s_runtime_domain_template(k3s_root) 13 | 14 | gen_require(` 15 | attribute container_runtime_domain; 16 | type container_runtime_exec_t, container_runtime_t; 17 | type container_file_t, container_share_t; 18 | type container_var_lib_t, var_lib_t; 19 | type container_log_t, var_log_t; 20 | ') 21 | admin_pattern(container_runtime_domain, k3s_data_t) 22 | admin_pattern(container_runtime_domain, k3s_lock_t) 23 | files_lock_filetrans(container_runtime_domain, k3s_lock_t, { dir file }) 24 | filetrans_pattern(container_runtime_t, container_var_lib_t, k3s_data_t, dir, "data") 25 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_lock_t, file, ".lock") 26 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_root_t, dir, "bin") 27 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".links") 28 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".sha256sums") 29 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "cni") 30 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd") 31 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim") 32 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v1") 33 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v2") 34 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "runc") 35 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "storage") 36 | #filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "snapshots") 37 | filetrans_pattern(container_runtime_t, var_lib_t, container_var_lib_t, dir, "kubelet") 38 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "pods") 39 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "containers") 40 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "pods") 41 | -------------------------------------------------------------------------------- /policy/coreos/scripts/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | cd $(dirname $0)/.. 5 | . ./scripts/version 6 | 7 | make -f /usr/share/selinux/devel/Makefile k3s.pp 8 | 9 | rpmbuild \ 10 | --define "k3s_selinux_version ${RPM_VERSION}" \ 11 | --define "k3s_selinux_release ${RPM_RELEASE}" \ 12 | --define "_sourcedir $PWD" \ 13 | --define "_specdir $PWD" \ 14 | --define "_builddir $PWD" \ 15 | --define "_srcrpmdir ${PWD}/dist/source" \ 16 | --define "_buildrootdir $PWD/.build" \ 17 | --define "_rpmdir ${PWD}/dist" \ 18 | -ba k3s-selinux.spec 19 | 20 | #dnf install -y dist/noarch/k3s-selinux-*.rpm 21 | #semodule --disable k3s 22 | #dnf remove k3s-selinux 23 | mkdir -p /source/dist/coreos 24 | cp -r dist/* /source/dist/coreos 25 | -------------------------------------------------------------------------------- /policy/coreos/scripts/entry: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -ex 3 | 4 | if [ -e ./policy/coreos/scripts/"$1" ]; then 5 | ./policy/coreos/scripts/"$@" 6 | else 7 | exec "$@" 8 | fi 9 | 10 | if [ "$DAPPER_UID" -ne "-1" ]; then 11 | chown -R $DAPPER_UID:$DAPPER_GID . 12 | fi 13 | -------------------------------------------------------------------------------- /policy/coreos/scripts/sign: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | yum install -y rpm-sign expect git 5 | 6 | pushd $(dirname $0)/.. 7 | . ./scripts/version 8 | popd 9 | 10 | cat <<\EOF >~/.rpmmacros 11 | %_signature gpg 12 | %_gpg_name ci@rancher.com 13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} 14 | %_source_filedigest_algorithm 8 15 | %_binary_filedigest_algorithm 8 16 | EOF 17 | 18 | case "$RPM_CHANNEL" in 19 | "testing") 20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE 21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then 22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" 23 | exit 1 24 | fi 25 | gpg --import - <<<"$TESTING_PRIVATE_KEY" 26 | ;; 27 | "latest"|"stable") 28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then 29 | echo "PRIVATE_KEY not defined, failing rpm sign" 30 | exit 1 31 | fi 32 | gpg --import - <<<"$PRIVATE_KEY" 33 | ;; 34 | *) 35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" 36 | exit 1 37 | ;; 38 | esac 39 | 40 | expect <= %{container_policyver} 34 | BuildRequires: git 35 | BuildRequires: selinux-policy >= %{selinux_policyver} 36 | BuildRequires: selinux-policy-devel >= %{selinux_policyver} 37 | 38 | Requires: policycoreutils, selinux-tools 39 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver} 40 | Requires(postun): policycoreutils 41 | 42 | Provides: %{name} = %{version}-%{release} 43 | Obsoletes: k3s-selinux <= 0.5 44 | Conflicts: rke2-selinux 45 | 46 | %description 47 | This package installs and sets up the SELinux policy security module for k3s. 48 | 49 | %install 50 | install -d %{buildroot}%{_datadir}/selinux/packages 51 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages 52 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib 53 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ 54 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/ 55 | 56 | %pre 57 | %selinux_relabel_pre 58 | 59 | %post 60 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp 61 | if /usr/sbin/selinuxenabled ; then 62 | /usr/sbin/load_policy 63 | %k3s_relabel_files 64 | fi; 65 | 66 | %postun 67 | if [ $1 -eq 0 ]; then 68 | %selinux_modules_uninstall k3s 69 | fi; 70 | 71 | %posttrans 72 | %selinux_relabel_post 73 | 74 | %files 75 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp 76 | %{_datadir}/selinux/devel/include/contrib/k3s.if 77 | 78 | %changelog 79 | * Mon Feb 24 2020 Darren Shepherd 1.0-1 80 | - Initial version 81 | 82 | -------------------------------------------------------------------------------- /policy/microos/k3s.fc: -------------------------------------------------------------------------------- 1 | # vim: sw=8:ts=8:et 2 | 3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0) 11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0) 12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <> 13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) 14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0) 15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0) 16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0) 17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0) 18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0) 19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0) 25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0) 26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) 28 | -------------------------------------------------------------------------------- /policy/microos/k3s.if: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | ## 3 | ## Creates types and rules for a k3s runtime domain. 4 | ## 5 | ## 6 | ## 7 | ## Prefix for the domain. 8 | ## 9 | ## 10 | # 11 | template(`k3s_runtime_domain_template',` 12 | gen_require(` 13 | attribute container_runtime_domain, exec_type; 14 | role system_r, sysadm_r; 15 | ') 16 | 17 | attribute $1_domain; 18 | type $1_t, $1_domain; 19 | role system_r types $1_t; 20 | role sysadm_r types $1_t; 21 | 22 | can_exec($1_t, exec_type) 23 | domain_type($1_t) 24 | domain_entry_file($1_domain, $1_t) 25 | 26 | admin_pattern(container_runtime_domain, $1_t) 27 | ') 28 | -------------------------------------------------------------------------------- /policy/microos/k3s.te: -------------------------------------------------------------------------------- 1 | policy_module(k3s, 1.0.0) 2 | 3 | ##### type: k3s_data_t 4 | type k3s_data_t; 5 | files_type(k3s_data_t); 6 | 7 | ##### type: k3s_lock_t 8 | type k3s_lock_t; 9 | files_lock_file(k3s_lock_t) 10 | 11 | ##### type: k3s_root_t, attr: k3s_root_domain 12 | k3s_runtime_domain_template(k3s_root) 13 | 14 | gen_require(` 15 | attribute container_runtime_domain; 16 | type container_runtime_exec_t, container_runtime_t; 17 | type container_file_t, container_share_t; 18 | type container_var_lib_t, var_lib_t; 19 | type container_log_t, var_log_t; 20 | ') 21 | admin_pattern(container_runtime_domain, k3s_data_t) 22 | admin_pattern(container_runtime_domain, k3s_lock_t) 23 | files_lock_filetrans(container_runtime_domain, k3s_lock_t, { dir file }) 24 | filetrans_pattern(container_runtime_t, container_var_lib_t, k3s_data_t, dir, "data") 25 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_lock_t, file, ".lock") 26 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_root_t, dir, "bin") 27 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".links") 28 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".sha256sums") 29 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "cni") 30 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd") 31 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim") 32 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v1") 33 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v2") 34 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "runc") 35 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "storage") 36 | #filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "snapshots") 37 | filetrans_pattern(container_runtime_t, var_lib_t, container_var_lib_t, dir, "kubelet") 38 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "pods") 39 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "containers") 40 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "pods") 41 | -------------------------------------------------------------------------------- /policy/microos/scripts/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | cd $(dirname $0)/.. 5 | . ./scripts/version 6 | 7 | make -f /usr/share/selinux/devel/Makefile k3s.pp 8 | 9 | rpmbuild \ 10 | --define "k3s_selinux_version ${RPM_VERSION}" \ 11 | --define "k3s_selinux_release ${RPM_RELEASE}" \ 12 | --define "_sourcedir $PWD" \ 13 | --define "_specdir $PWD" \ 14 | --define "_builddir $PWD" \ 15 | --define "_srcrpmdir ${PWD}/dist/source" \ 16 | --define "_buildrootdir $PWD/.build" \ 17 | --define "_rpmdir ${PWD}/dist" \ 18 | -ba k3s-selinux.spec 19 | 20 | #zypper install -y --allow-unsigned-rpm dist/noarch/*.rpm 21 | #semodule --disable k3s 22 | #zypper remove k3s-selinux 23 | mkdir -p /source/dist/microos 24 | cp -r dist/* /source/dist/microos 25 | -------------------------------------------------------------------------------- /policy/microos/scripts/entry: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -ex 3 | 4 | if [ -e ./policy/microos/scripts/"$1" ]; then 5 | ./policy/microos/scripts/"$@" 6 | else 7 | exec "$@" 8 | fi 9 | 10 | if [ "$DAPPER_UID" -ne "-1" ]; then 11 | chown -R $DAPPER_UID:$DAPPER_GID . 12 | fi 13 | -------------------------------------------------------------------------------- /policy/microos/scripts/sign: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | yum install -y rpm-sign expect git 5 | 6 | pushd $(dirname $0)/.. 7 | . ./scripts/version 8 | popd 9 | 10 | cat <<\EOF >~/.rpmmacros 11 | %_signature gpg 12 | %_gpg_name ci@rancher.com 13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} 14 | %_source_filedigest_algorithm 8 15 | %_binary_filedigest_algorithm 8 16 | EOF 17 | 18 | case "$RPM_CHANNEL" in 19 | "testing") 20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE 21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then 22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" 23 | exit 1 24 | fi 25 | gpg --import - <<<"$TESTING_PRIVATE_KEY" 26 | ;; 27 | "latest"|"stable") 28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then 29 | echo "PRIVATE_KEY not defined, failing rpm sign" 30 | exit 1 31 | fi 32 | gpg --import - <<<"$PRIVATE_KEY" 33 | ;; 34 | *) 35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" 36 | exit 1 37 | ;; 38 | esac 39 | 40 | expect <= %{container_policyver} 34 | BuildRequires: git 35 | BuildRequires: selinux-policy >= %{selinux_policyver} 36 | BuildRequires: selinux-policy-devel >= %{selinux_policyver} 37 | 38 | Requires: policycoreutils, selinux-tools 39 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver} 40 | Requires(postun): policycoreutils 41 | 42 | Provides: %{name} = %{version}-%{release} 43 | Obsoletes: k3s-selinux <= 0.5 44 | Conflicts: rke2-selinux 45 | 46 | %description 47 | This package installs and sets up the SELinux policy security module for k3s. 48 | 49 | %install 50 | install -d %{buildroot}%{_datadir}/selinux/packages 51 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages 52 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib 53 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ 54 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/ 55 | 56 | %pre 57 | %selinux_relabel_pre 58 | 59 | %post 60 | %selinux_modules_install %{_datadir}/selinux/packages/k3s.pp 61 | if /usr/sbin/selinuxenabled ; then 62 | /usr/sbin/load_policy 63 | %k3s_relabel_files 64 | fi; 65 | 66 | %postun 67 | if [ $1 -eq 0 ]; then 68 | %selinux_modules_uninstall k3s 69 | fi; 70 | 71 | %posttrans 72 | %selinux_relabel_post 73 | 74 | %files 75 | %attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp 76 | %{_datadir}/selinux/devel/include/contrib/k3s.if 77 | 78 | %changelog 79 | * Mon Feb 24 2020 Darren Shepherd 1.0-1 80 | - Initial version 81 | 82 | -------------------------------------------------------------------------------- /policy/slemicro/k3s.fc: -------------------------------------------------------------------------------- 1 | # vim: sw=8:ts=8:et 2 | 3 | /etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 4 | /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 5 | /usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0) 6 | /usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 7 | /usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 8 | /opt/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 9 | /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) 10 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0) 11 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0) 12 | /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <> 13 | /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) 14 | /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0) 15 | /var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0) 16 | /var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0) 17 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0) 18 | /var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0) 19 | /var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 20 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 21 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 22 | /var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 23 | /var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) 24 | /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0) 25 | /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0) 26 | /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) 27 | /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) 28 | -------------------------------------------------------------------------------- /policy/slemicro/k3s.if: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | ## 3 | ## Creates types and rules for a k3s runtime domain. 4 | ## 5 | ## 6 | ## 7 | ## Prefix for the domain. 8 | ## 9 | ## 10 | # 11 | template(`k3s_runtime_domain_template',` 12 | gen_require(` 13 | attribute container_runtime_domain, exec_type; 14 | role system_r, sysadm_r; 15 | ') 16 | 17 | attribute $1_domain; 18 | type $1_t, $1_domain; 19 | role system_r types $1_t; 20 | role sysadm_r types $1_t; 21 | 22 | can_exec($1_t, exec_type) 23 | domain_type($1_t) 24 | domain_entry_file($1_domain, $1_t) 25 | 26 | admin_pattern(container_runtime_domain, $1_t) 27 | ') 28 | -------------------------------------------------------------------------------- /policy/slemicro/k3s.te: -------------------------------------------------------------------------------- 1 | policy_module(k3s, 1.0.0) 2 | 3 | ##### type: k3s_data_t 4 | type k3s_data_t; 5 | files_type(k3s_data_t); 6 | 7 | ##### type: k3s_lock_t 8 | type k3s_lock_t; 9 | files_lock_file(k3s_lock_t) 10 | 11 | ##### type: k3s_root_t, attr: k3s_root_domain 12 | k3s_runtime_domain_template(k3s_root) 13 | 14 | gen_require(` 15 | attribute container_runtime_domain; 16 | type container_runtime_exec_t, container_runtime_t; 17 | type container_file_t, container_share_t; 18 | type container_var_lib_t, var_lib_t; 19 | type container_log_t, var_log_t; 20 | ') 21 | admin_pattern(container_runtime_domain, k3s_data_t) 22 | admin_pattern(container_runtime_domain, k3s_lock_t) 23 | files_lock_filetrans(container_runtime_domain, k3s_lock_t, { dir file }) 24 | filetrans_pattern(container_runtime_t, container_var_lib_t, k3s_data_t, dir, "data") 25 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_lock_t, file, ".lock") 26 | filetrans_pattern(container_runtime_t, k3s_data_t, k3s_root_t, dir, "bin") 27 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".links") 28 | filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".sha256sums") 29 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "cni") 30 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd") 31 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim") 32 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v1") 33 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v2") 34 | filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "runc") 35 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "storage") 36 | #filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, dir, "snapshots") 37 | filetrans_pattern(container_runtime_t, var_lib_t, container_var_lib_t, dir, "kubelet") 38 | filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "pods") 39 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "containers") 40 | filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "pods") 41 | -------------------------------------------------------------------------------- /policy/slemicro/scripts/build: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | cd $(dirname $0)/.. 5 | . ./scripts/version 6 | 7 | make -f /usr/share/selinux/devel/Makefile k3s.pp 8 | 9 | rpmbuild \ 10 | --define "k3s_selinux_version ${RPM_VERSION}" \ 11 | --define "k3s_selinux_release ${RPM_RELEASE}" \ 12 | --define "_sourcedir $PWD" \ 13 | --define "_specdir $PWD" \ 14 | --define "_builddir $PWD" \ 15 | --define "_srcrpmdir ${PWD}/dist/source" \ 16 | --define "_buildrootdir $PWD/.build" \ 17 | --define "_rpmdir ${PWD}/dist" \ 18 | -ba k3s-selinux.spec 19 | 20 | #zypper install -y --allow-unsigned-rpm dist/noarch/*.rpm 21 | #semodule --disable k3s 22 | #zypper remove k3s-selinux 23 | mkdir -p /source/dist/slemicro 24 | cp -r dist/* /source/dist/slemicro 25 | -------------------------------------------------------------------------------- /policy/slemicro/scripts/entry: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -ex 3 | 4 | if [ -e ./policy/slemicro/scripts/"$1" ]; then 5 | ./policy/slemicro/scripts/"$@" 6 | else 7 | exec "$@" 8 | fi 9 | 10 | if [ "$DAPPER_UID" -ne "-1" ]; then 11 | chown -R $DAPPER_UID:$DAPPER_GID . 12 | fi 13 | -------------------------------------------------------------------------------- /policy/slemicro/scripts/sign: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -x 3 | 4 | yum install -y rpm-sign expect git 5 | 6 | pushd $(dirname $0)/.. 7 | . ./scripts/version 8 | popd 9 | 10 | cat <<\EOF >~/.rpmmacros 11 | %_signature gpg 12 | %_gpg_name ci@rancher.com 13 | %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} 14 | %_source_filedigest_algorithm 8 15 | %_binary_filedigest_algorithm 8 16 | EOF 17 | 18 | case "$RPM_CHANNEL" in 19 | "testing") 20 | export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE 21 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then 22 | echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" 23 | exit 1 24 | fi 25 | gpg --import - <<<"$TESTING_PRIVATE_KEY" 26 | ;; 27 | "latest"|"stable") 28 | if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then 29 | echo "PRIVATE_KEY not defined, failing rpm sign" 30 | exit 1 31 | fi 32 | gpg --import - <<<"$PRIVATE_KEY" 33 | ;; 34 | *) 35 | echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" 36 | exit 1 37 | ;; 38 | esac 39 | 40 | expect <