Skip to content

Commit

Permalink
tweaked selinux policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@mysticaltech
mysticaltech committed Apr 5, 2023
1 parent b49aea8 commit 8c92f39
Showing 1 changed file with 14 additions and 2 deletions.
16 changes: 14 additions & 2 deletions locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -564,14 +564,16 @@ EOF
type kernel_t, bin_t, kernel_generic_helper_t, iscsid_t, iscsid_exec_t, var_run_t,
init_t, unlabeled_t, systemd_logind_t, systemd_hostnamed_t, container_t,
cert_t, container_var_lib_t, etc_t, usr_t, container_file_t, container_log_t,
container_share_t, container_runtime_exec_t, container_runtime_t;
container_share_t, container_runtime_exec_t, container_runtime_t, var_log_t, proc_t;
class key { read view };
class file { open read execute execute_no_trans create link lock read rename write append setattr unlink getattr };
class file { open read execute execute_no_trans create link lock rename write append setattr unlink getattr watch };
class sock_file { write create unlink };
class unix_dgram_socket create;
class unix_stream_socket { connectto read write };
class dir { add_name create getattr link lock read rename remove_name reparent rmdir setattr unlink search write };
class lnk_file { read create };
class system module_request;
class filesystem associate;
}
#============= kernel_generic_helper_t ==============
Expand All @@ -587,6 +589,7 @@ EOF
#============= init_t ==============
allow init_t unlabeled_t:dir { add_name remove_name rmdir };
allow init_t unlabeled_t:lnk_file create;
allow init_t container_t:file { open read };
#============= systemd_logind_t ==============
allow systemd_logind_t unlabeled_t:dir search;
Expand All @@ -612,6 +615,15 @@ EOF
allow container_t container_share_t:file { read write create unlink };
allow container_t container_runtime_exec_t:file { read execute execute_no_trans open };
allow container_t container_runtime_t:unix_stream_socket { connectto read write };
allow container_t kernel_t:system module_request;
allow container_t container_log_t:dir read;
allow container_t container_log_t:file { open read watch };
allow container_t container_log_t:lnk_file read;
allow container_t var_log_t:dir { add_name write };
allow container_t var_log_t:file { create lock open read setattr write };
allow container_t var_log_t:dir remove_name;
allow container_t var_log_t:file unlink;
allow container_t proc_t:filesystem associate;
# Create the k3s registries file if needed
%{if var.k3s_registries != ""}
Expand Down

0 comments on commit 8c92f39

Please sign in to comment.