selinux: ocp415: remove redundant process

the process context we expect is kubelet_t, minimize permission removing spurious one Signed-off-by: Francesco Romani <[email protected]>
k8stopologyawareschedwg · Jan 16, 2024 · cf85d2b · cf85d2b
1 parent e0da204
commit cf85d2b
Showing 1 changed file with 0 additions and 1 deletion.
diff --git a/pkg/assets/selinux/policy/ocp_v4.15.cil b/pkg/assets/selinux/policy/ocp_v4.15.cil
@@ -20,6 +20,5 @@
 	;
 	; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock
 	(allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append)))
-	(allow process container_var_lib_t (unix_stream_socket (connectto)))
 	(allow process kubelet_t (unix_stream_socket (connectto)))
 )