Skip to content

Commit a631eb0

Browse files
krnowakkrnowak
committed
overlay coreos/user-patches: Update a patch for sec-policy/selinux-container
We need to enable net_raw capability for ping inside the docker container.
1 parent 08cd903 commit a631eb0

File tree

1 file changed

+11
-10
lines changed
  • sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container

1 file changed

+11
-10
lines changed

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,16 @@
1-
diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
2-
index 056aa6023..e4bcada03 100644
3-
--- a/refpolicy/policy/modules/services/container.fc
4-
+++ b/refpolicy/policy/modules/services/container.fc
5-
@@ -113,3 +113,5 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
1+
diff -p -r -u work/refpolicy/policy/modules/services/container.fc work2/refpolicy/policy/modules/services/container.fc
2+
--- work/refpolicy/policy/modules/services/container.fc 2023-10-02 17:11:39.000000000 -0000
3+
+++ work2/refpolicy/policy/modules/services/container.fc 2023-11-30 11:01:57.674590785 -0000
4+
@@ -117,3 +117,5 @@ HOME_DIR/\.docker(/.*)? gen_context(sys
65
/var/log/kube-controller-manager(/.*)? gen_context(system_u:object_r:container_log_t,s0)
76
/var/log/kube-proxy(/.*)? gen_context(system_u:object_r:container_log_t,s0)
87
/var/log/kube-scheduler(/.*)? gen_context(system_u:object_r:container_log_t,s0)
98
+
109
+/usr/share/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
11-
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
12-
index 5de421fc3..4a6c2760e 100644
13-
--- a/refpolicy/policy/modules/services/container.te
14-
+++ b/refpolicy/policy/modules/services/container.te
15-
@@ -1007,3 +1007,62 @@ optional_policy(`
10+
diff -p -r -u work/refpolicy/policy/modules/services/container.te work2/refpolicy/policy/modules/services/container.te
11+
--- work/refpolicy/policy/modules/services/container.te 2023-10-02 17:11:39.000000000 -0000
12+
+++ work2/refpolicy/policy/modules/services/container.te 2023-11-30 11:03:31.875742024 -0000
13+
@@ -1088,3 +1088,65 @@ optional_policy(`
1614
unconfined_domain_noaudit(spc_user_t)
1715
domain_ptrace_all_domains(spc_user_t)
1816
')
@@ -58,6 +56,9 @@ index 5de421fc3..4a6c2760e 100644
5856
+allow container_t initrc_t:fifo_file { getattr ioctl read write open append };
5957
+filetrans_pattern(kernel_t, etc_t, container_file_t, dir, "cni");
6058
+
59+
+# for ping inside docker
60+
+allow container_t self:capability net_raw;
61+
+
6162
+# this is required by flanneld
6263
+allow container_t kernel_t:system { module_request };
6364
+

0 commit comments

Comments
 (0)