flatcar-scripts

mirror of https://github.com/flatcar/scripts.git synced 2025-08-17 18:06:59 +02:00

History

Mathieu Tortuyaux 5c5b78cb8d sec-policy/selinux-virt: fix flannel CNI creation flannel uses an init container to pull CNI from container to the host system in `/etc/cni`. With SELinux, the permission is denied because `/etc/cni` is labelled with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`. Using `filetrans_pattern` we can define a mechanism to create `/etc/cni` with the correct labels even if it's not yet created - which avoid to run `restorecon` on `/etc/cni`. Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>	2021-08-11 16:24:54 +02:00
..
src/third_party/coreos-overlay	sec-policy/selinux-virt: fix flannel CNI creation	2021-08-11 16:24:54 +02:00

Mathieu Tortuyaux 5c5b78cb8d sec-policy/selinux-virt: fix flannel CNI creation

flannel uses an init container to pull CNI from container to the host
system in `/etc/cni`.
With SELinux, the permission is denied because `/etc/cni` is labelled
with `etc_t` so it can't be access by Docker since it expects `svirt_lxc_file_t`.

Using `filetrans_pattern` we can define a mechanism to create `/etc/cni`
with the correct labels even if it's not yet created - which avoid to
run `restorecon` on `/etc/cni`.

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>

2021-08-11 16:24:54 +02:00

src/third_party/coreos-overlay

sec-policy/selinux-virt: fix flannel CNI creation

2021-08-11 16:24:54 +02:00