Skip to content

Commit 670ce71

Browse files
andypitcherandypitcher
authored
Merge pull request #73 from philippebi/main
Add watch permissions on rke_logreader_t:var_log_t:dir context
2 parents 8688ed3 + 7a2e847 commit 670ce71

4 files changed

Lines changed: 12 additions & 12 deletions

File tree

policy/centos8/rancher.te

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ gen_require(`
55
type kubernetes_file_t, container_log_t, syslogd_var_run_t;
66
type var_log_t, container_var_run_t, container_var_lib_t;
77
type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t, security_t;
8-
class dir { open read search };
8+
class dir { open read search watch };
99
class file { getaddr getattr map open read watch relabelfrom relabelto };
1010
class lnk_file { getattr read };
1111
class tcp_socket { accept listen };
@@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
4040
allow rke_logreader_t container_var_lib_t:dir search;
4141
allow rke_logreader_t container_var_lib_t:file { getattr open read watch };
4242
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
43-
allow rke_logreader_t syslogd_var_run_t:dir read;
43+
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
4444
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
45-
allow rke_logreader_t var_log_t:dir read;
45+
allow rke_logreader_t var_log_t:dir { read watch };
4646
allow rke_logreader_t var_log_t:file { getattr map open read watch };
4747
allow rke_logreader_t self:tcp_socket listen;
4848

policy/centos9/rancher.te

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ gen_require(`
55
type kubernetes_file_t, container_log_t, syslogd_var_run_t;
66
type var_log_t, container_var_run_t, container_var_lib_t;
77
type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t;
8-
class dir { open read search };
8+
class dir { open read search watch };
99
class file { getaddr getattr map open read watch relabelfrom relabelto };
1010
class lnk_file { getattr read };
1111
class tcp_socket { accept listen };
@@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
4040
allow rke_logreader_t container_var_lib_t:dir search;
4141
allow rke_logreader_t container_var_lib_t:file { getattr open read watch };
4242
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
43-
allow rke_logreader_t syslogd_var_run_t:dir read;
43+
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
4444
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
45-
allow rke_logreader_t var_log_t:dir read;
45+
allow rke_logreader_t var_log_t:dir { read watch };
4646
allow rke_logreader_t var_log_t:file { getattr map open read watch };
4747
allow rke_logreader_t self:tcp_socket listen;
4848

policy/fedora41/rancher.te

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ gen_require(`
44
type container_runtime_t, unconfined_service_t, container_file_t;
55
type kubernetes_file_t, container_log_t, syslogd_var_run_t, var_log_t;
66
type container_var_run_t, iptables_var_run_t, var_run_t, kernel_t;
7-
class dir { open read search };
7+
class dir { open read search watch };
88
class file { getaddr open read watch };
99
class lnk_file { getattr read };
1010
class tcp_socket { listen };
@@ -36,9 +36,9 @@ allow rke_logreader_t container_log_t:file { getattr open read watch };
3636
allow rke_logreader_t container_var_lib_t:dir search;
3737
allow rke_logreader_t container_var_lib_t:file { getattr open read };
3838
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
39-
allow rke_logreader_t syslogd_var_run_t:dir read;
39+
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
4040
allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
41-
allow rke_logreader_t var_log_t:dir read;
41+
allow rke_logreader_t var_log_t:dir { read watch };
4242
allow rke_logreader_t var_log_t:file { getattr map open read };
4343
allow rke_logreader_t self:tcp_socket listen;
4444

policy/microos/rancher.te

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ gen_require(`
55
type kubernetes_file_t, container_log_t, syslogd_var_run_t;
66
type var_log_t, container_var_run_t, container_var_lib_t;
77
type iptables_var_run_t, var_run_t, kernel_t, rke_opt_t;
8-
class dir { open read search };
8+
class dir { open read search watch };
99
class file { getaddr getattr map open read watch relabelfrom relabelto };
1010
class lnk_file { getattr read };
1111
class tcp_socket { accept listen };
@@ -40,9 +40,9 @@ allow rke_logreader_t container_log_t:file { getattr open read };
4040
allow rke_logreader_t container_var_lib_t:dir search;
4141
allow rke_logreader_t container_var_lib_t:file { getattr open read };
4242
allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
43-
allow rke_logreader_t syslogd_var_run_t:dir read;
43+
allow rke_logreader_t syslogd_var_run_t:dir { read watch };
4444
allow rke_logreader_t syslogd_var_run_t:file { getattr open read };
45-
allow rke_logreader_t var_log_t:dir read;
45+
allow rke_logreader_t var_log_t:dir { read watch };
4646
allow rke_logreader_t var_log_t:file { getattr open read };
4747

4848
############################################################################

0 commit comments

Comments
 (0)