Skip to content

Commit

Permalink
Replace kubernetes_file_t with rke_etc_t for centos7
Browse files Browse the repository at this point in the history
Centos7 uses container-selinux-2.119.2-1.911c772.el7_8.noarch (latest) which doesn't include kubernetes_file_t (introduced in v2.144 and later). Although this type is used (required) to create rke_kubereader_t in rancher.te, thus the type rke_kubereader_t is not installable/available. The container k8s_copy-certs_pushprox-kube-etcd-client (Monitoring chart) then falls back to container_t.
This commit replaces kubernetes_file_t with rke_etc_t, by keeping the same permissions.
  • Loading branch information
andypitcher committed Nov 30, 2023
1 parent 3447fb6 commit 3d2e12a
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions policy/centos7/rancher.te
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,17 @@ gen_require(`
########################
gen_require(`
type container_runtime_t, unconfined_service_t;
type kubernetes_file_t;
type rke_etc_t;
class dir { open read search };
class file { getaddr open read };
class lnk_file { getattr read };
')
container_domain_template(rke_kubereader)
virt_sandbox_domain(rke_kubereader_t)
corenet_unconfined(rke_kubereader_t)
allow rke_kubereader_t kubernetes_file_t:dir { open read search };
allow rke_kubereader_t kubernetes_file_t:file { getattr open read };
allow rke_kubereader_t kubernetes_file_t:lnk_file { getattr read };
allow rke_kubereader_t rke_etc_t:dir { open read search };
allow rke_kubereader_t rke_etc_t:file { getattr open read };
allow rke_kubereader_t rke_etc_t:lnk_file { getattr read };

########################
# type rke_logreader_t #
Expand Down

0 comments on commit 3d2e12a

Please sign in to comment.