container: fix cilium denial

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
2023-06-21 09:24:25 +02:00 · 2023-06-21 09:24:25 +02:00 · feaf607f3e
commit feaf607f3e
parent d6b44b9c4f
1 changed files with 1 additions and 0 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -866,6 +866,7 @@ allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay
 allow spc_t self:netlink_generic_socket create_socket_perms;
 allow spc_t self:netlink_netfilter_socket create_socket_perms;
 allow spc_t self:netlink_xfrm_socket create_socket_perms;
+allow spc_t self:perf_event { cpu kernel open read };

 allow container_engine_system_domain spc_t:process { setsched signal_perms };