fixup! WIP: se: allow rules

siderolabs · Nov 21, 2024 · ebd6bac · ebd6bac
1 parent 4235c61
commit ebd6bac
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 7 deletions.
diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts
@@ -15,7 +15,6 @@
 /usr/lib(/.*)?	system_u:object_r:lib_t:s0
 /usr/sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
 /etc/selinux(/.*)?	system_u:object_r:selinux_conf_t:s0
-/opt/cni/bin(/.*)?	system_u:object_r:cri_plugin_bin_t:s0
 /usr/libexec(/.*)?	system_u:object_r:bin_t:s0
 /lib/firmware(/.*)?	system_u:object_r:firmware_t:s0
 /usr/lib/udev(/.*)?	system_u:object_r:udev_exec_t:s0

diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil
@@ -116,9 +116,3 @@
 
 ; FIXME: add context for kube services
 (allow pod_p kube_secret_f (fs_classes (rw)))
-
-; CNI and other plugins
-(type cri_plugin_bin_t)
-(call system_f (cri_plugin_bin_t))
-(filecon "/opt/cni/bin(/.*)?" any (system_u object_r cri_plugin_bin_t (systemLow systemLow)))
-(allow pod_containerd_t cri_plugin_bin_t (file (execute_no_trans)))