mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-04 19:56:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

overlay coreos/user-patches: Update a patch for sec-policy/selinux-container

Browse Source 
We need to enable net_raw capability for ping inside the docker
container.
This commit is contained in:
Krzesimir Nowak 2023-11-30 12:08:05 +01:00
parent 08cd903623
commit a631eb044b
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch vendored
View File

@ -1,18 +1,16 @@
diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 056aa6023..e4bcada03 100644
--- a/refpolicy/policy/modules/services/container.fc
+++ b/refpolicy/policy/modules/services/container.fc
@@ -113,3 +113,5 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
diff -p -r -u work/refpolicy/policy/modules/services/container.fc work2/refpolicy/policy/modules/services/container.fc
--- work/refpolicy/policy/modules/services/container.fc 2023-10-02 17:11:39.000000000 -0000
+++ work2/refpolicy/policy/modules/services/container.fc 2023-11-30 11:01:57.674590785 -0000
@@ -117,3 +117,5 @@ HOME_DIR/\.docker(/.*)? gen_context(sys
/var/log/kube-controller-manager(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/kube-proxy(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/kube-scheduler(/.*)? gen_context(system_u:object_r:container_log_t,s0)
+
+/usr/share/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 5de421fc3..4a6c2760e 100644
--- a/refpolicy/policy/modules/services/container.te
+++ b/refpolicy/policy/modules/services/container.te
@@ -1007,3 +1007,62 @@ optional_policy(`
diff -p -r -u work/refpolicy/policy/modules/services/container.te work2/refpolicy/policy/modules/services/container.te
--- work/refpolicy/policy/modules/services/container.te 2023-10-02 17:11:39.000000000 -0000
+++ work2/refpolicy/policy/modules/services/container.te 2023-11-30 11:03:31.875742024 -0000
@@ -1088,3 +1088,65 @@ optional_policy(`
unconfined_domain_noaudit(spc_user_t)
domain_ptrace_all_domains(spc_user_t)
')
@ -58,6 +56,9 @@ index 5de421fc3..4a6c2760e 100644
+allow container_t initrc_t:fifo_file { getattr ioctl read write open append };
+filetrans_pattern(kernel_t, etc_t, container_file_t, dir, "cni");
+
+# for ping inside docker
+allow container_t self:capability net_raw;
+
+# this is required by flanneld
+allow container_t kernel_t:system { module_request };
+