Skip to content
This repository has been archived by the owner on May 30, 2023. It is now read-only.

sec-policy/selinux-virt: add rules to run flannel with SELinux enforced mode #1181

Merged
merged 3 commits into from
Aug 12, 2021
Merged

sec-policy/selinux-virt: add rules to run flannel with SELinux enforced mode #1181

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
78ad350
sec-policy/selinux-virt: fix flannel CNI creation
Aug 11, 2021
c0dc45d
sec-policy/selinux-virt: allow flanneld to load module
Aug 11, 2021
56d2acd
sec-policy/selinux-virt: allow flannel to write into /run
Aug 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions sec-policy/selinux-virt/files/virt.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
index 256ea58..f72fbba 100644
index 4943ad79d..8b0ed779e 100644
--- services/virt.te
+++ services/virt.te
@@ -1378,3 +1378,35 @@ sysnet_dns_name_resolve(virtlogd_t)
@@ -1377,3 +1377,41 @@ sysnet_dns_name_resolve(virtlogd_t)

virt_manage_log(virtlogd_t)
virt_read_config(virtlogd_t)
Expand Down Expand Up @@ -36,4 +36,10 @@ index 256ea58..f72fbba 100644
+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans };
+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append };
+allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append };
+filetrans_pattern(kernel_t, etc_t, svirt_lxc_file_t, dir, "cni");
+
+# this is required by flanneld
+allow svirt_lxc_net_t kernel_t:system { module_request };
+
+# required by flanneld to write into /run/flannel/subnet.env
+filetrans_pattern(kernel_t, var_run_t, svirt_lxc_file_t, dir, "flannel");