Skip to content

Commit

Permalink
selinux: add kubelet_var_lib_t permissions
Browse files Browse the repository at this point in the history
In future rhel/rhcos release podresourceAPI socket file's context might change
to `kubelet_var_lib_t`.

To deal with this issue in advance we'll change RTE custom policy
to support this new context as well.

Signed-off-by: Talor Itzhak <[email protected]>
(cherry picked from commit 12718ed)
  • Loading branch information
Tal-or authored and ffromani committed Dec 9, 2024
1 parent c471889 commit a7b832c
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions pkg/assets/selinux/policy/ocp_v4.16.cil
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@
;
; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock
(allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append)))
(allow process kubelet_var_lib_t (sock_file (open getattr read write ioctl lock append)))
(allow process kubelet_t (unix_stream_socket (connectto)))
)
1 change: 1 addition & 0 deletions pkg/assets/selinux/policy/ocp_v4.17.cil
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@
;
; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock
(allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append)))
(allow process kubelet_var_lib_t (sock_file (open getattr read write ioctl lock append)))
(allow process kubelet_t (unix_stream_socket (connectto)))
)

0 comments on commit a7b832c

Please sign in to comment.