nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

container: add rules required for metallb BGP speakers

Browse Source 
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-12-07 09:53:58 -05:00
parent b85d3f673d
commit a6db7cb87f
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
policy/modules/services/container.te
View File

@ -425,6 +425,8 @@ corenet_tcp_sendrecv_generic_node(container_net_domain)
corenet_udp_sendrecv_generic_node(container_net_domain) corenet_udp_sendrecv_generic_node(container_net_domain)
corenet_tcp_bind_generic_node(container_net_domain) corenet_tcp_bind_generic_node(container_net_domain)
corenet_udp_bind_generic_node(container_net_domain) corenet_udp_bind_generic_node(container_net_domain)
# for metallb BGP speakers
corenet_raw_bind_generic_node(container_net_domain)
corenet_sendrecv_all_server_packets(container_net_domain) corenet_sendrecv_all_server_packets(container_net_domain)
corenet_tcp_bind_all_ports(container_net_domain) corenet_tcp_bind_all_ports(container_net_domain)
@ -456,6 +458,8 @@ files_read_kernel_modules(container_t)
fs_mount_cgroup(container_t) fs_mount_cgroup(container_t)
fs_rw_cgroup_files(container_t) fs_rw_cgroup_files(container_t)
# for metallb BGP speakers
fs_read_nsfs_files(container_t)
kernel_read_vm_overcommit_sysctl(container_t) kernel_read_vm_overcommit_sysctl(container_t)