Merge pull request #4 from cmurphy/var-log

Allow logreader to read var_log_t
rancher · Apr 23, 2021 · aa99598 · aa99598
2 parents 0f51b6d + eb1001b
commit aa99598
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/policy/centos7/rancher.te b/policy/centos7/rancher.te
@@ -11,6 +11,7 @@ gen_require(`
         type container_runtime_t, unconfined_service_t;
         type container_log_t;
         type syslogd_var_run_t;
+        type var_log_t;
         class dir { read search };
         class file { open read };
         class lnk_file { getattr read };
@@ -26,3 +27,5 @@ allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr open read };
+allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:file { getattr open read };
diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
@@ -11,6 +11,7 @@ gen_require(`
         type container_runtime_t, unconfined_service_t;
         type container_log_t;
         type syslogd_var_run_t;
+        type var_log_t;
         class dir { read search };
         class file { open read };
         class lnk_file { getattr read };
@@ -26,3 +27,5 @@ allow rke_logreader_t container_var_lib_t:file { getattr open read };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };
+allow rke_logreader_t var_log_t:dir read;
+allow rke_logreader_t var_log_t:file { getattr map open read };