diff options
| -rw-r--r-- | policy/modules/kernel/kernel.if | 18 | ||||
| -rw-r--r-- | policy/modules/services/kubernetes.te | 3 |
2 files changed, 21 insertions, 0 deletions
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index f985a1ca..f1c3098c 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2887,6 +2887,24 @@ interface(`kernel_rw_unlabeled_dirs',` ######################################## ## <summary> +## Create unlabeled directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_create_unlabeled_dirs',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir create_dir_perms; +') + +######################################## +## <summary> ## Delete unlabeled directories. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 83963502..95d5f9f4 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -311,6 +311,9 @@ kernel_rw_vm_overcommit_sysctl(kubelet_t) # haven't been relabeled yet (fsGroup) kernel_list_unlabeled(kubelet_t) kernel_setattr_all_unlabeled(kubelet_t) +# create subPath mountpoints in a volume that +# hasn't been relabeled yet +kernel_create_unlabeled_dirs(kubelet_t) storage_getattr_fixed_disk_dev(kubelet_t) storage_dontaudit_read_fixed_disk(kubelet_t) |