mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-10-03 03:21:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

sec-policy/selinux-virt: fix flannel CNI creation

Browse Source 
flannel uses an init container to pull CNI from container to the host
system in `/etc/cni`.
With SELinux, the permission is denied because `/etc/cni` is labelled
with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`.

Using `filetrans_pattern` we can define a mechanism to create `/etc/cni`
with the correct labels even if it's not yet created - which avoid to
run `restorecon` on `/etc/cni`.

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
This commit is contained in:
Mathieu Tortuyaux 2021-08-11 16:24:54 +02:00
parent 37e0e8d92c
commit 5c5b78cb8d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch vendored
View File

@ -36,4 +36,4 @@ index 256ea58..f72fbba 100644
+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
+allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append };
+
+filetrans_pattern(kernel_t, etc_t, svirt_lxc_file_t, dir, "cni");