container: allow spc various rules for kubevirt
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
This commit is contained in:
Kenton Groombridge
parent
d585f08c27
commit
af0b408246
|
|
@ -5465,6 +5465,24 @@ interface(`dev_relabelfrom_vfio_dev',`
|
|||
relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
|
||||
')
|
||||
|
||||
############################
|
||||
## <summary>
|
||||
## Get the attributes of the vhost devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_getattr_vhost_dev',`
|
||||
gen_require(`
|
||||
type device_t, vhost_device_t;
|
||||
')
|
||||
|
||||
getattr_chr_files_pattern($1, device_t, vhost_device_t)
|
||||
')
|
||||
|
||||
############################
|
||||
## <summary>
|
||||
## Allow read/write the vhost devices
|
||||
|
|
|
|||
|
|
@ -978,7 +978,7 @@ allow spc_t self:process { getcap setrlimit };
|
|||
# Normally triggered when rook-ceph executes lvm tools which creates noise.
|
||||
# This can be allowed if actually needed.
|
||||
dontaudit spc_t self:process setfscreate;
|
||||
allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid ipc_lock mknod net_admin net_raw setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
|
||||
allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
|
||||
allow spc_t self:capability2 { bpf perfmon };
|
||||
allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
|
||||
allow spc_t self:key manage_key_perms;
|
||||
|
|
@ -1004,14 +1004,19 @@ allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
|
|||
allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
|
||||
# for rook-ceph
|
||||
allow spc_t container_engine_tmpfs_t:blk_file rw_blk_file_perms;
|
||||
# for multus and kubevirt
|
||||
allow spc_t container_engine_tmpfs_t:chr_file { relabelfrom setattr };
|
||||
|
||||
# for kubernetes storage class providers
|
||||
allow spc_t container_file_t:{ dir file } mounton;
|
||||
allow spc_t container_file_t:dir_file_class_set relabel_blk_file_perms;
|
||||
# for rook-ceph
|
||||
allow spc_t container_file_t:blk_file manage_blk_file_perms;
|
||||
# for multus and kubevirt
|
||||
allow spc_t container_file_t:chr_file setattr;
|
||||
allow spc_t container_file_t:filesystem unmount;
|
||||
|
||||
allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
|
||||
allow spc_t container_runtime_t:dir { manage_dir_perms mounton watch };
|
||||
allow spc_t container_runtime_t:file manage_file_perms;
|
||||
allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
|
||||
|
||||
|
|
@ -1034,6 +1039,10 @@ dev_filetrans(spc_t, container_device_t, blk_file)
|
|||
dev_dontaudit_getattr_all_chr_files(spc_t)
|
||||
dev_dontaudit_setattr_generic_symlinks(spc_t)
|
||||
dev_dontaudit_relabelto_generic_blk_files(spc_t)
|
||||
# for multus and kubevirt
|
||||
dev_getattr_kvm_dev(spc_t)
|
||||
dev_getattr_vhost_dev(spc_t)
|
||||
dev_watch_dev_dirs(spc_t)
|
||||
|
||||
fs_read_nsfs_files(spc_t)
|
||||
fs_mount_xattr_fs(spc_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue