add ability for kube-apiserver to write to audit logs

rancher / rke2-selinux

RKE2 selinux + RPM packaging for selinux

Apache License 2.0

21 stars 21 forks source link

add ability for kube-apiserver to write to audit logs #17

Closed briandowns closed 3 years ago

briandowns commented 3 years ago

This PR adds the ability for the kube-apiserver to write to the audit log when auditing is enabled.

Fixes issue raised here.

brandond commented 3 years ago

I think we need to do more than this - the log files are getting created at filepath.Join(s.DataDir, "server/logs/audit.log") which is inheriting container_var_lib_t since DataDir is /var/lib/rancher/rke2. Granting full access to container_var_lib_t is overly broad from a policy perspective; we should probably make the server logs dir container_log_t and then allow actions on that type if we don't already do so.

briandowns commented 3 years ago

I think we need to do more than this - the log files are getting created at filepath.Join(s.DataDir, "server/logs/audit.log") which is inheriting container_var_lib_t since DataDir is /var/lib/rancher/rke2. Granting full access to container_var_lib_t is overly broad from a policy perspective; we should probably make the server logs dir container_log_t and then allow actions on that type if we don't already do so.

Happy for feedback. What I pushed initially resolved the issue.

brandond commented 3 years ago

Yeah that would fix it but I don't think its quite the best approach from a least privilege perspective.

dweomer commented 3 years ago

So there are a couple things going on in this PR:

granting somewhat limited write access for rke2_service_t against container_var_lib_t. this feels just a hair shy rke2_service_t :arrow_right: spc_t which isn't what we want
changing, via file-context, the labels for /var/log/audit (not necessary and shouldn't do besides)

We should limit the fix to:

finding a way to augment the rke2_service_t so that it can read/write under /var/lib/rancher/rke2/server/logs/

brandond commented 3 years ago

@dweomer IMO we should make /var/lib/rancher/rke2/server/logs/ container_log_t and then grant access to that.

briandowns commented 3 years ago

@dweomer IMO we should make /var/lib/rancher/rke2/server/logs/ container_log_t and then grant access to that.

@dweomer and I worked out an approach that I'll be pushing in a few minutes.

dweomer commented 3 years ago

@dweomer IMO we should make /var/lib/rancher/rke2/server/logs/ container_log_t and then grant access to that.

This is exactly what @briandowns and I discussed.