|
793 | 793 | type kernel_t, bin_t, kernel_generic_helper_t, iscsid_t, iscsid_exec_t, var_run_t, |
794 | 794 | init_t, unlabeled_t, systemd_logind_t, systemd_hostnamed_t, container_t, |
795 | 795 | cert_t, container_var_lib_t, etc_t, usr_t, container_file_t, container_log_t, |
796 | | - container_share_t, container_runtime_exec_t, container_runtime_t, var_log_t, proc_t, io_uring_t; |
| 796 | + container_share_t, container_runtime_exec_t, container_runtime_t, var_log_t, proc_t, io_uring_t, fuse_device_t, http_port_t; |
797 | 797 | class key { read view }; |
798 | 798 | class file { open read execute execute_no_trans create link lock rename write append setattr unlink getattr watch }; |
799 | 799 | class sock_file { watch write create unlink }; |
|
806 | 806 | class bpf map_create; |
807 | 807 | class io_uring sqpoll; |
808 | 808 | class anon_inode create; |
| 809 | + class tcp_socket name_connect; |
| 810 | + class chr_file { open read write }; |
809 | 811 | } |
810 | 812 |
|
811 | 813 | #============= kernel_generic_helper_t ============== |
|
822 | 824 | allow init_t unlabeled_t:dir { add_name remove_name rmdir }; |
823 | 825 | allow init_t unlabeled_t:lnk_file create; |
824 | 826 | allow init_t container_t:file { open read }; |
| 827 | + allow init_t container_file_t:file { execute execute_no_trans }; |
| 828 | + allow init_t fuse_device_t:chr_file { open read write }; |
| 829 | + allow init_t http_port_t:tcp_socket name_connect; |
825 | 830 |
|
826 | 831 | #============= systemd_logind_t ============== |
827 | 832 | allow systemd_logind_t unlabeled_t:dir search; |
|
861 | 866 | allow container_t self:bpf map_create; |
862 | 867 | allow container_t io_uring_t:anon_inode create; |
863 | 868 | allow container_t self:io_uring sqpoll; |
| 869 | + allow container_t io_uring_t:anon_inode { create map read write }; |
864 | 870 |
|
865 | 871 | # Create the k3s registries file if needed |
866 | 872 | %{if var.k3s_registries != ""} |
|
0 commit comments