-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #320 from k8stopologyawareschedwg/fix_selinux_policy
selinux: allow access to kubelet_var_lib_t
- Loading branch information
Showing
4 changed files
with
69 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
(block rte | ||
(type process) | ||
(roletype system_r process) | ||
(typeattributeset domain (process)) | ||
; | ||
; Giving rte.process the same attributes as container_t | ||
(typeattributeset container_domain (process)) | ||
(typeattributeset container_net_domain (process)) | ||
(typeattributeset svirt_sandbox_domain (process)) | ||
(typeattributeset sandbox_net_domain (process)) | ||
; MCS is leveraged by container_t and others, like us, to prevent cross-pod communication. | ||
(typeattributeset mcs_constrained_type (process)) | ||
; | ||
; Allow access to procfs (also needed by libraries) | ||
(allow process proc_type (file (open read))) | ||
; | ||
; Allow to RTE pod access to /run/rte directory | ||
(allow process container_var_run_t (dir (add_name write))) | ||
(allow process container_var_run_t (file (create read write open))) | ||
; | ||
; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock | ||
(allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append))) | ||
(allow process kubelet_t (unix_stream_socket (connectto))) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
(block rte | ||
(type process) | ||
(roletype system_r process) | ||
(typeattributeset domain (process)) | ||
; | ||
; Giving rte.process the same attributes as container_t | ||
(typeattributeset container_domain (process)) | ||
(typeattributeset container_net_domain (process)) | ||
(typeattributeset svirt_sandbox_domain (process)) | ||
(typeattributeset sandbox_net_domain (process)) | ||
; MCS is leveraged by container_t and others, like us, to prevent cross-pod communication. | ||
(typeattributeset mcs_constrained_type (process)) | ||
; | ||
; Allow access to procfs (also needed by libraries) | ||
(allow process proc_type (file (open read))) | ||
; | ||
; Allow to RTE pod access to /run/rte directory | ||
(allow process container_var_run_t (dir (add_name write))) | ||
(allow process container_var_run_t (file (create read write open))) | ||
; | ||
; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock | ||
(allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append))) | ||
(allow process kubelet_var_lib_t (sock_file (open getattr read write ioctl lock append))) | ||
(allow process kubelet_t (unix_stream_socket (connectto))) | ||
) |