container, podman: allow podman to create and write config files

Podman 4.0 now creates the CNI network config files if they do not
exist.

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-03-11 00:07:56 -05:00
parent 6e5a6bffdb
commit db2ec49444
2 changed files with 42 additions and 0 deletions

View File

@ -738,6 +738,44 @@ interface(`container_mountpoint',`
typeattribute $1 container_mountpoint_type; typeattribute $1 container_mountpoint_type;
') ')
########################################
## <summary>
## Allow the specified domain to
## create container config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_create_config_files',`
gen_require(`
type container_config_t;
')
create_files_pattern($1, container_config_t, container_config_t)
')
########################################
## <summary>
## Allow the specified domain to
## write container config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_write_config_files',`
gen_require(`
type container_config_t;
')
write_files_pattern($1, container_config_t, container_config_t)
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to ## Allow the specified domain to

View File

@ -39,6 +39,10 @@ allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_p
container_engine_executable_entrypoint(podman_t) container_engine_executable_entrypoint(podman_t)
# podman 4.0.0 now creates OCI networking configs
container_create_config_files(podman_t)
container_write_config_files(podman_t)
domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t) domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
logging_send_syslog_msg(podman_t) logging_send_syslog_msg(podman_t)