From 5c5b78cb8d63e22262f52ba24141c6f83454145a Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 11 Aug 2021 16:24:54 +0200 Subject: [PATCH] sec-policy/selinux-virt: fix flannel CNI creation flannel uses an init container to pull CNI from container to the host system in `/etc/cni`. With SELinux, the permission is denied because `/etc/cni` is labelled with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`. Using `filetrans_pattern` we can define a mechanism to create `/etc/cni` with the correct labels even if it's not yet created - which avoid to run `restorecon` on `/etc/cni`. Signed-off-by: Mathieu Tortuyaux --- .../coreos-overlay/sec-policy/selinux-virt/files/virt.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch index 1fd778db48..faad21146c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch @@ -36,4 +36,4 @@ index 256ea58..f72fbba 100644 +allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans }; +allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append }; +allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append }; -+ ++filetrans_pattern(kernel_t, etc_t, svirt_lxc_file_t, dir, "cni");