From c34b1234d8e4d32f9ab02cb5e2f941da65019191 Mon Sep 17 00:00:00 2001 From: Talor Itzhak Date: Mon, 9 Dec 2024 17:14:50 +0200 Subject: [PATCH] selinux: add kubelet_var_lib_t permissions In future rhel/rhcos release podresourceAPI socket file's context might change to `kubelet_var_lib_t`. To deal with this issue in advance we'll change RTE custom policy to support this new context as well. Signed-off-by: Talor Itzhak (cherry picked from commit 12718ed5c8ea8647588b28104c371a0096759663) --- pkg/assets/selinux/policy/ocp_v4.16.cil | 1 + pkg/assets/selinux/policy/ocp_v4.17.cil | 1 + 2 files changed, 2 insertions(+) diff --git a/pkg/assets/selinux/policy/ocp_v4.16.cil b/pkg/assets/selinux/policy/ocp_v4.16.cil index 99985d2f..2913ef3f 100644 --- a/pkg/assets/selinux/policy/ocp_v4.16.cil +++ b/pkg/assets/selinux/policy/ocp_v4.16.cil @@ -20,5 +20,6 @@ ; ; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock (allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append))) + (allow process kubelet_var_lib_t (sock_file (open getattr read write ioctl lock append))) (allow process kubelet_t (unix_stream_socket (connectto))) ) diff --git a/pkg/assets/selinux/policy/ocp_v4.17.cil b/pkg/assets/selinux/policy/ocp_v4.17.cil index 99985d2f..2913ef3f 100644 --- a/pkg/assets/selinux/policy/ocp_v4.17.cil +++ b/pkg/assets/selinux/policy/ocp_v4.17.cil @@ -20,5 +20,6 @@ ; ; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock (allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append))) + (allow process kubelet_var_lib_t (sock_file (open getattr read write ioctl lock append))) (allow process kubelet_t (unix_stream_socket (connectto))) )