nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

container, crio, kubernetes: minor fixes 

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
This commit is contained in:
Kenton Groombridge 2024-05-06 17:19:44 -04:00 committed by 0xC0ncord
parent 11e729e273
commit 63d50bbaa3
3 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/services/container.te
View File

@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms;
allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow spc_t self:netlink_generic_socket create_socket_perms;
allow spc_t self:netlink_netfilter_socket create_socket_perms;
allow spc_t self:netlink_tcpdiag_socket nlmsg_read;
allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow spc_t self:perf_event { cpu kernel open read };

1
policy/modules/services/crio.te
View File

@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t)
container_kill_all_containers(crio_conmon_t)
container_read_all_container_state(crio_conmon_t)
container_signal_system_containers(crio_conmon_t)
# for kubernetes debug pods
container_use_container_ptys(crio_conmon_t)

3
policy/modules/services/kubernetes.te
View File

@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t)
container_manage_log_dirs(kubelet_t)
container_manage_log_files(kubelet_t)
container_manage_log_symlinks(kubelet_t)
container_watch_log_dirs(kubelet_t)
container_watch_log_files(kubelet_t)
container_log_filetrans(kubelet_t, { dir file })
@ -617,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain)
# kubectl local policy
#
kernel_dontaudit_getattr_proc(kubectl_t)
auth_use_nsswitch(kubectl_t)
# not required, but convenient for using config commands