Skip to content

Commit

Permalink
Merge pull request containers#291 from haircommander/engine_t-improve…
Browse files Browse the repository at this point in the history 
…ments

container_engine_t: improve for podman in kubernetes case
  • Loading branch information
@rhatdan
rhatdan authored Dec 22, 2023
2 parents 289df82 + 6859af3 commit 540fa9b
Showing 1 changed file with 12 additions and 8 deletions.
20 changes: 12 additions & 8 deletions container.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1409,19 +1409,23 @@ fs_mounton_cgroup(container_engine_t)
fs_unmount_cgroup(container_engine_t)
fs_manage_cgroup_dirs(container_engine_t)
fs_manage_cgroup_files(container_engine_t)
fs_mount_tmpfs(container_engine_t)
fs_write_cgroup_files(container_engine_t)

allow container_engine_t proc_t:file mounton;
allow container_engine_t sysctl_t:file mounton;
allow container_engine_t sysfs_t:filesystem remount;

fs_remount_cgroup(container_engine_t)
fs_mount_all_fs(container_engine_t)
fs_remount_all_fs(container_engine_t)
fs_unmount_all_fs(container_engine_t)
kernel_mounton_all_sysctls(container_engine_t)
kernel_mount_proc(container_engine_t)
kernel_mounton_core_if(container_engine_t)
kernel_mounton_proc(container_engine_t)
kernel_mounton_core_if(container_engine_t)
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)

term_mount_pty_fs(container_engine_t)
term_use_generic_ptys(container_engine_t)

allow container_engine_t container_file_t:chr_file mounton;
allow container_engine_t filesystem_type:{dir file} mounton;
allow container_engine_t proc_kcore_t:file mounton;


type kubelet_t, container_runtime_domain;
domain_type(kubelet_t)
Expand Down

0 comments on commit 540fa9b

Please sign in to comment.