k3s-root: reduced executable privileges

[dweomer]

Addresses k3s-io/k3s#4562 Addresses k3s-io/k3s#4564 Addresses k3s-io/k3s#4600 Addresses k3s-io/k3s#4601

Address container_runtime_exec_t applied to too many executables. Introduce k3s_data_t, k3s_lock_t, and k3s_root_t types:

• k3s_data_t as default for everything under K3S_DATA_DIR
• k3s_lock_t applied to K3S_DATA_DIR/.lock
• k3s_root_t as default for everything under K3S_DATA_DIR/bin this is an execution domain type that allows invocation from processes labeled with container_runtime_t and unconfined_t to work as expected, but regular seusers will be denied. additionally, this allows for easy, automatic transition to container_runtime_exec_t for the cni, containerd (including shims), and runc executables when k3s unpacks itself and establishes the data-dir.

---

I should stress: this is effectively a complete policy re-write for k3s.

[dweomer]

This will require a claw-back of the k3s-specific file-context entries in upstream container-selinux.