refactor: remove SELinux client_u and client_r

I added those in the early days of the current policy development, yet there was no use for them. This change simplifies the policy and handling of labels. Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
siderolabs · Nov 18, 2024 · d55a96e · d55a96e
1 parent 3a5b55f
commit d55a96e
Show file tree

Hide file tree

Showing 9 changed files with 12 additions and 37 deletions.
diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
diff --git a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil
@@ -65,28 +65,15 @@
 
 (typeattribute service_exec_f)
 
-(typeattribute system_service_p)
+(typeattribute service_p)
 ; (process_t, exec_t)
-(macro system_service_p ((type process_label) (type executable_label))
+(macro service_p ((type process_label) (type executable_label))
     (roletype system_r process_label)
-    (typeattributeset system_service_p process_label)
+    (typeattributeset service_p process_label)
     (typeattributeset service_exec_f executable_label)
     (allow process_label executable_label (file (entrypoint execute execute_no_trans)))
 )
 
-(typeattribute client_service_p)
-; (process_t, exec_t)
-(macro client_service_p ((type process_label) (type executable_label))
-    (roletype client_r process_label)
-    (typeattributeset client_service_p process_label)
-    (typeattributeset service_exec_f executable_label)
-    (allow process_label executable_label (file (entrypoint execute execute_no_trans)))
-)
-
-(typeattribute service_p)
-(typeattributeset service_p system_service_p)
-(typeattributeset service_p client_service_p)
-
 (typeattribute system_container_p)
 (macro system_container_p ((type ARG1))
     (roletype system_r ARG1)
@@ -95,7 +82,7 @@
 
 (typeattribute pod_p)
 (macro pod_p ((type ARG1))
-    (roletype client_r ARG1)
+    (roletype system_r ARG1)
     (typeattributeset pod_p ARG1)
 )
 

diff --git a/internal/pkg/selinux/policy/selinux/immutable/roles.cil b/internal/pkg/selinux/policy/selinux/immutable/roles.cil
@@ -11,15 +11,3 @@
 (userlevel system_u systemLow)
 (userrole system_u object_r)
 (userrole system_u system_r)
-
-(role client_r)
-(type client_r)
-(roletype client_r client_r)
-
-(user client_u)
-(userrange client_u (systemLow systemLow))
-(userlevel client_u systemLow)
-(userrole client_u object_r)
-(userrole client_u client_r)
-
-(roleallow system_r client_r)
diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil
@@ -1,6 +1,6 @@
 ; Pod (CRI) containerd
 (type pod_containerd_t)
-(call client_service_p (pod_containerd_t containerd_exec_t))
+(call service_p (pod_containerd_t containerd_exec_t))
 
 ; TODO: label /run
 

diff --git a/internal/pkg/selinux/policy/selinux/services/dashboard.cil b/internal/pkg/selinux/policy/selinux/services/dashboard.cil
@@ -1,2 +1,2 @@
 (type dashboard_t)
-(call system_service_p (dashboard_t init_exec_t))
+(call service_p (dashboard_t init_exec_t))
diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil
@@ -34,7 +34,7 @@
 ; Should not occur unless misconfigured by machined
 (type unconfined_service_t)
 (roletype system_r unconfined_service_t)
-(typeattributeset system_service_p unconfined_service_t)
+(typeattributeset service_p unconfined_service_t)
 
 (type sbin_exec_t)
 (call system_f (sbin_exec_t))

diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
@@ -7,7 +7,7 @@
 
 ; System containerd
 (type sys_containerd_t)
-(call system_service_p (sys_containerd_t containerd_exec_t))
+(call service_p (sys_containerd_t containerd_exec_t))
 
 ; TODO: label /system
 

diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil
@@ -12,7 +12,7 @@
 (filecon "/usr/lib/udev(/.*)?" any udev_exec_t)
 
 (type udev_t)
-(call system_service_p (udev_t udev_exec_t))
+(call service_p (udev_t udev_exec_t))
 
 ; TODO: label /run
 

diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
@@ -811,7 +811,7 @@ const (
 	CgroupPodRuntimeMillicores = 1000
 
 	// SelinuxLabelPodRuntime is the SELinux label for kubernetes containerd runtime processes.
-	SelinuxLabelPodRuntime = "client_u:client_r:pod_containerd_t:s0"
+	SelinuxLabelPodRuntime = "system_u:system_r:pod_containerd_t:s0"
 
 	// CgroupPodRuntimeReservedMemory is the hard memory protection for the cri runtime processes.
 	CgroupPodRuntimeReservedMemory = 196 * 1024 * 1024
@@ -826,13 +826,13 @@ const (
 	CgroupEtcdMillicores = 2000
 
 	// SELinuxLabelEtcd is the SELinux label for etcd process.
-	SELinuxLabelEtcd = "client_u:client_r:etcd_t:s0"
+	SELinuxLabelEtcd = "system_u:system_r:etcd_t:s0"
 
 	// CgroupKubelet is the cgroup name for kubelet process.
 	CgroupKubelet = CgroupPodRuntimeRoot + "/kubelet"
 
 	// SelinuxLabelKubelet is the SELinux label for kubelet process.
-	SelinuxLabelKubelet = "client_u:client_r:kubelet_t:s0"
+	SelinuxLabelKubelet = "system_u:system_r:kubelet_t:s0"
 
 	// CgroupKubeletReservedMemory is the hard memory protection for the kubelet processes.
 	CgroupKubeletReservedMemory = 96 * 1024 * 1024