Merge pull request #1273 from kube-hetzner/fix/SELinux

mysticaltech · web-flow · commit bdcf51228721 · 2024-03-12T23:08:21.000+01:00
Fix missing SELinux rules
diff --git a/locals.tf b/locals.tf
@@ -793,7 +793,8 @@ EOF
       type kernel_t, bin_t, kernel_generic_helper_t, iscsid_t, iscsid_exec_t, var_run_t,
       init_t, unlabeled_t, systemd_logind_t, systemd_hostnamed_t, container_t,
       cert_t, container_var_lib_t, etc_t, usr_t, container_file_t, container_log_t,
-      container_share_t, container_runtime_exec_t, container_runtime_t, var_log_t, proc_t, io_uring_t, fuse_device_t, http_port_t;
+      container_share_t, container_runtime_exec_t, container_runtime_t, var_log_t, proc_t, io_uring_t, fuse_device_t, http_port_t,
+      container_var_run_t;
       class key { read view };
       class file { open read execute execute_no_trans create link lock rename write append setattr unlink getattr watch };
       class sock_file { watch write create unlink };
@@ -805,7 +806,7 @@ EOF
       class filesystem associate;
       class bpf map_create;
       class io_uring sqpoll;
-      class anon_inode create;
+      class anon_inode { create map read write };
       class tcp_socket name_connect;
       class chr_file { open read write };
     }
@@ -850,6 +851,7 @@ EOF
     allow container_t container_file_t:file { open read write append getattr setattr };
     allow container_t container_file_t:sock_file watch;
     allow container_t container_log_t:file { open read write append getattr setattr };
+    allow container_t container_log_t:dir read;
     allow container_t container_share_t:dir { read write add_name remove_name };
     allow container_t container_share_t:file { read write create unlink };
     allow container_t container_runtime_exec_t:file { read execute execute_no_trans open };
@@ -864,9 +866,10 @@ EOF
     allow container_t var_log_t:file unlink;
     allow container_t proc_t:filesystem associate;
     allow container_t self:bpf map_create;
-    allow container_t io_uring_t:anon_inode create;
     allow container_t self:io_uring sqpoll;
-    allow container_t io_uring_t:anon_inode { create };
+    allow container_t io_uring_t:anon_inode { create map read write };
+    allow container_t container_var_run_t:dir { add_name remove_name write };
+    allow container_t container_var_run_t:file { create open read rename unlink write };
 
 # Create the k3s registries file if needed
 %{if var.k3s_registries != ""}
