nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kubernetes: allow container engines to mount on DRI devices if enabled

Browse Source 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
This commit is contained in:
Kenton Groombridge 2023-12-19 00:07:35 -05:00
parent 16323cfce2
commit a0018e4e85
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
policy/modules/kernel/devices.if
View File

@ -2065,6 +2065,24 @@ interface(`dev_manage_dri_dev',`
allow $1 dri_device_t:chr_file map;
')
########################################
## <summary>
## Mount on the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_mounton_dri_dev',`
gen_require(`
type dri_device_t;
')
allow $1 dri_device_t:chr_file mounton;
')
########################################
## <summary>
## Automatic type transition to the type

4
policy/modules/services/kubernetes.te
View File

@ -147,6 +147,10 @@ tunable_policy(`container_read_public_content',`
miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
')
tunable_policy(`container_use_dri',`
dev_mounton_dri_dev(kubernetes_container_engine_domain)
')
tunable_policy(`container_use_nfs',`
fs_getattr_nfs(kubernetes_container_engine_domain)
fs_remount_nfs(kubernetes_container_engine_domain)