mirror of
https://github.com/flatcar/scripts.git
synced 2025-10-03 19:42:15 +02:00
sec-policy/selinux-virt: fix flannel CNI creation
flannel uses an init container to pull CNI from container to the host system in `/etc/cni`. With SELinux, the permission is denied because `/etc/cni` is labelled with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`. Using `filetrans_pattern` we can define a mechanism to create `/etc/cni` with the correct labels even if it's not yet created - which avoid to run `restorecon` on `/etc/cni`. Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
This commit is contained in:
parent
37e0e8d92c
commit
5c5b78cb8d
@ -36,4 +36,4 @@ index 256ea58..f72fbba 100644
|
|||||||
+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
|
+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
|
||||||
+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
|
+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
|
||||||
+allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append };
|
+allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append };
|
||||||
+
|
+filetrans_pattern(kernel_t, etc_t, svirt_lxc_file_t, dir, "cni");
|
||||||
|
Loading…
x
Reference in New Issue
Block a user