Skip to content

Commit

Permalink
feat: add selinux write and connectto to kine sock
Browse files Browse the repository at this point in the history 
Signed-off-by: Vitor Savian <[email protected]>
  • Loading branch information
@vitorsavian
vitorsavian committed Oct 7, 2024
1 parent 3971a42 commit 72fd664
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 4 deletions.
4 changes: 3 additions & 1 deletion policy/centos7/rke2.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ rke2_filetrans_named_content(unconfined_service_t)
#######################
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };

##########################
# type rke2_service_db_t #
Expand All @@ -38,4 +40,4 @@ allow iscsid_t self:capability dac_override;
# type rke2_tls_t #
###################
type rke2_tls_t;
files_type(rke2_tls_t);
files_type(rke2_tls_t);
2 changes: 2 additions & 0 deletions policy/centos8/rke2.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ rke2_filetrans_named_content(unconfined_service_t)
#######################
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };

##########################
# type rke2_service_db_t #
Expand Down
4 changes: 3 additions & 1 deletion policy/centos9/rke2.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ rke2_filetrans_named_content(unconfined_service_t)
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:file { watch };
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };

##########################
# type rke2_service_db_t #
Expand All @@ -32,4 +34,4 @@ allow iscsid_t self:capability dac_override;
# type rke2_tls_t #
###################
type rke2_tls_t;
container_file(rke2_tls_t);
container_file(rke2_tls_t);
4 changes: 3 additions & 1 deletion policy/microos/rke2.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ rke2_filetrans_named_content(unconfined_service_t)
#######################
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };

##########################
# type rke2_service_db_t #
Expand All @@ -31,4 +33,4 @@ allow iscsid_t self:capability dac_override;
# type rke2_tls_t #
###################
type rke2_tls_t;
container_file(rke2_tls_t);
container_file(rke2_tls_t);
4 changes: 3 additions & 1 deletion policy/slemicro/rke2.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ rke2_filetrans_named_content(unconfined_service_t)
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:file { watch };
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };

##########################
# type rke2_service_db_t #
Expand All @@ -32,4 +34,4 @@ allow iscsid_t self:capability dac_override;
# type rke2_tls_t #
###################
type rke2_tls_t;
files_type(rke2_tls_t);
files_type(rke2_tls_t);

0 comments on commit 72fd664

Please sign in to comment.