Merge pull request #4 from cmurphy/var-log

cmurphy · web-flow · commit aa99598ed4fb · 2021-04-23T15:28:23.000-07:00
Allow logreader to read var_log_t
diff --git a/policy/centos7/rancher.te b/policy/centos7/rancher.te
@@ -11,6 +11,7 @@ gen_require(`
         type container_runtime_t, unconfined_service_t;
         type container_log_t;
         type syslogd_var_run_t;
+        type var_log_t;
         class dir { read search };
         class file { open read };
         class lnk_file { getattr read };
@@ -26,3 +27,5 @@ allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr open read };
+allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:file { getattr open read };
diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
@@ -11,6 +11,7 @@ gen_require(`
         type container_runtime_t, unconfined_service_t;
         type container_log_t;
         type syslogd_var_run_t;
+        type var_log_t;
         class dir { read search };
         class file { open read };
         class lnk_file { getattr read };
@@ -26,3 +27,5 @@ allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
+allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:file { getattr map open read };
