diff options
-rw-r--r-- | policy/modules/kernel/kernel.if | 19 | ||||
-rw-r--r-- | policy/modules/services/kubernetes.te | 4 |
2 files changed, 23 insertions, 0 deletions
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 7a2df280..85b4da0c 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3492,6 +3492,25 @@ interface(`kernel_relabelfrom_unlabeled_chr_devs',` ######################################## ## <summary> +## Allow caller set the attributes on all unlabeled +## directory and file objects. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_setattr_all_unlabeled',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:dir_file_class_set setattr; +') + +######################################## +## <summary> ## Send and receive messages from an ## unlabeled IPSEC association. ## </summary> diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 0f5f6769..58292de8 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -307,6 +307,10 @@ kernel_read_vm_sysctls(kubelet_t) kernel_rw_kernel_sysctl(kubelet_t) kernel_rw_net_sysctls(kubelet_t) kernel_rw_vm_overcommit_sysctl(kubelet_t) +# for recursive chown on persistent volumes that +# haven't been relabeled yet (fsGroup) +kernel_list_unlabeled(kubelet_t) +kernel_setattr_all_unlabeled(kubelet_t) storage_getattr_fixed_disk_dev(kubelet_t) storage_dontaudit_read_fixed_disk(kubelet_t) |