Skip to content

Commit a2cfdbf

Browse files
ginglis13ginglis13
committed
selinux-policy: add etc_secret_t label
Add a label etc_secret_t to be used for configuration files stored under /etc that include secrets. The current label used for secret mounts under /etc is secret_t but this label permits bootstrap containers to write to objects. etc_secret_t disallows this behavior. Signed-off-by: Gavin Inglis <[email protected]>
1 parent 74cba2b commit a2cfdbf

File tree

2 files changed

+13
-2
lines changed

2 files changed

+13
-2
lines changed

packages/selinux-policy/object.cil

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,11 @@
138138
(roletype object_r secret_t)
139139
(context secret (system_u object_r secret_t s0))
140140

141+
; Files for saved system secrets in config files in /etc.
142+
(type etc_secret_t)
143+
(roletype object_r etc_secret_t)
144+
(context etc_secret (system_u object_r etc_secret_t s0))
145+
141146
; Dynamic objects are files on temporary storage with special rules.
142147
(typeattribute dynamic_o)
143148
(typeattributeset dynamic_o (etc_t binfmt_misc_fs_t))
@@ -162,7 +167,7 @@
162167
; modified by system-level processes.
163168
(typeattribute write_restricted_o)
164169
(typeattributeset write_restricted_o (
165-
cache_t csi_exec_t lease_t measure_t secret_t state_t private_t))
170+
cache_t csi_exec_t lease_t measure_t secret_t etc_secret_t state_t private_t))
166171

167172
; Read-restricted objects are files on local storage that can only be
168173
; opened by system-level processes.
@@ -210,6 +215,6 @@
210215
network_exec_t bus_exec_t runtime_exec_t
211216
mount_exec_t cni_exec_t csi_exec_t
212217
any_t etc_t proc_t binfmt_misc_fs_t
213-
local_t data_t private_t secret_t cache_t
218+
local_t data_t private_t secret_t etc_secret_t cache_t
214219
lease_t measure_t state_t
215220
api_socket_t))

packages/selinux-policy/rules.cil

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,12 @@
221221
(allow api_s secret_t (files (mutate mount)))
222222
(allow runtime_s secret_t (files (mutate mount)))
223223

224+
; Trusted components can modify secrets stored in /etc config files.
225+
(allow trusted_s etc_secret_t (files (mutate)))
226+
227+
; Untrusted components cannot modify secrets stored in /etc config files.
228+
(neverallow untrusted_s etc_secret_t (files (mutate)))
229+
224230
; Subjects that control the OS can write to and manage mounts for
225231
; "sensitive" files and directories on /local.
226232
(allow control_s sensitive_o (files (mutate mount)))

0 commit comments

Comments
 (0)