Skip to content

Commit

Permalink
Merge pull request #33 from lopf/32-add-watch-permission
Browse files Browse the repository at this point in the history 
32 watch permissions are required by fluentbit
  • Loading branch information
@andypitcher
andypitcher authored Dec 7, 2023
2 parents 17fe9c1 + d865881 commit 4b6a0f4
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
6 changes: 3 additions & 3 deletions policy/centos8/rancher.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,22 +31,22 @@ gen_require(`
type syslogd_var_run_t;
type var_log_t;
class dir { read search };
class file { open read };
class file { getattr map open read watch };
class lnk_file { getattr read };
')
container_domain_template(rke_logreader, container)
virt_sandbox_domain(rke_logreader_t)
corenet_unconfined(rke_logreader_t)
allow rke_logreader_t container_log_t:dir { open read search };
allow rke_logreader_t container_log_t:lnk_file { getattr read };
allow rke_logreader_t container_log_t:file { getattr open read };
allow rke_logreader_t container_log_t:file { getattr open read watch };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir read;
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
allow rke_logreader_t var_log_t:dir read;
allow rke_logreader_t var_log_t:file { getattr map open read };
allow rke_logreader_t var_log_t:file { getattr map open read watch };

########################
# type rke_container_t #
Expand Down
6 changes: 3 additions & 3 deletions policy/centos9/rancher.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,22 +31,22 @@ gen_require(`
type syslogd_var_run_t;
type var_log_t;
class dir { read search };
class file { open read };
class file { getattr map open read watch };
class lnk_file { getattr read };
')
container_domain_template(rke_logreader, container)
virt_sandbox_domain(rke_logreader_t)
corenet_unconfined(rke_logreader_t)
allow rke_logreader_t container_log_t:dir { open read search };
allow rke_logreader_t container_log_t:lnk_file { getattr read };
allow rke_logreader_t container_log_t:file { getattr open read };
allow rke_logreader_t container_log_t:file { getattr open read watch };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir read;
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
allow rke_logreader_t var_log_t:dir read;
allow rke_logreader_t var_log_t:file { getattr map open read };
allow rke_logreader_t var_log_t:file { getattr map open read watch };

########################
# type rke_container_t #
Expand Down

0 comments on commit 4b6a0f4

Please sign in to comment.