Skip to content

Commit b321ea4

Browse files
rhatdanrhatdan
committed
Add policy for kata containers
Signed-off-by: Daniel J Walsh <[email protected]>
1 parent 5624558 commit b321ea4

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

container.te

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
policy_module(container, 2.124.0)
1+
policy_module(container, 2.125.0)
22
gen_require(`
33
class passwd rootok;
44
')
@@ -452,6 +452,7 @@ tunable_policy(`virt_use_samba',`
452452
gen_require(`
453453
type cephfs_t;
454454
')
455+
455456
tunable_policy(`container_use_cephfs',`
456457
manage_files_pattern(container_domain, cephfs_t, cephfs_t)
457458
manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t)
@@ -1041,3 +1042,14 @@ dontaudit container_domain device_node:chr_file setattr;
10411042
dontaudit container_domain sysctl_type:file write;
10421043

10431044
allow container_t proc_t:filesystem remount;
1045+
1046+
# Container kvm - Policy for running kata containers
1047+
container_domain_template(container_kvm)
1048+
typeattribute container_kvm_t container_net_domain;
1049+
1050+
dev_rw_kvm(container_kvm_t)
1051+
1052+
dev_read_sysfs(container_kvm_t)
1053+
dev_getattr_mtrr_dev(container_kvm_t)
1054+
dev_read_rand(container_kvm_t)
1055+
dev_read_urand(container_kvm_t)

0 commit comments

Comments
 (0)