Skip to content

Add watch permissions on rke_logreader_t:var_log_t:dir context #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 28, 2025
Merged

Add watch permissions on rke_logreader_t:var_log_t:dir context #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions policy/centos8/rancher.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ gen_require(`
type kubernetes_file_t, container_log_t, syslogd_var_run_t;
type var_log_t, container_var_run_t, container_var_lib_t;
type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t, security_t;
class dir { open read search };
class dir { open read search watch };
class file { getaddr getattr map open read watch relabelfrom relabelto };
class lnk_file { getattr read };
class tcp_socket { accept listen };
Expand Down Expand Up @@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read watch };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir read;
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
allow rke_logreader_t var_log_t:dir read;
allow rke_logreader_t var_log_t:dir { read watch };
allow rke_logreader_t var_log_t:file { getattr map open read watch };
allow rke_logreader_t self:tcp_socket listen;

Expand Down
6 changes: 3 additions & 3 deletions policy/centos9/rancher.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ gen_require(`
type kubernetes_file_t, container_log_t, syslogd_var_run_t;
type var_log_t, container_var_run_t, container_var_lib_t;
type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t;
class dir { open read search };
class dir { open read search watch };
class file { getaddr getattr map open read watch relabelfrom relabelto };
class lnk_file { getattr read };
class tcp_socket { accept listen };
Expand Down Expand Up @@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read watch };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir read;
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
allow rke_logreader_t var_log_t:dir read;
allow rke_logreader_t var_log_t:dir { read watch };
allow rke_logreader_t var_log_t:file { getattr map open read watch };
allow rke_logreader_t self:tcp_socket listen;

Expand Down
6 changes: 3 additions & 3 deletions policy/fedora41/rancher.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ gen_require(`
type container_runtime_t, unconfined_service_t, container_file_t;
type kubernetes_file_t, container_log_t, syslogd_var_run_t, var_log_t;
type container_var_run_t, iptables_var_run_t, var_run_t, kernel_t;
class dir { open read search };
class dir { open read search watch };
class file { getaddr open read watch };
class lnk_file { getattr read };
class tcp_socket { listen };
Expand Down Expand Up @@ -36,9 +36,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir read;
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
allow rke_logreader_t var_log_t:dir read;
allow rke_logreader_t var_log_t:dir { read watch };
allow rke_logreader_t var_log_t:file { getattr map open read };
allow rke_logreader_t self:tcp_socket listen;

Expand Down
6 changes: 3 additions & 3 deletions policy/microos/rancher.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ gen_require(`
type kubernetes_file_t, container_log_t, syslogd_var_run_t;
type var_log_t, container_var_run_t, container_var_lib_t;
type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t;
class dir { open read search };
class dir { open read search watch };
class file { getaddr getattr map open read watch relabelfrom relabelto };
class lnk_file { getattr read };
class tcp_socket { accept listen };
Expand Down Expand Up @@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:dir search;
allow rke_logreader_t container_var_lib_t:file { getattr open read };
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
allow rke_logreader_t syslogd_var_run_t:dir read;
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
allow rke_logreader_t syslogd_var_run_t:file { getattr open read };
allow rke_logreader_t var_log_t:dir read;
allow rke_logreader_t var_log_t:dir { read watch };
allow rke_logreader_t var_log_t:file { getattr open read };

############################################################################
Expand Down
Loading