Merge pull request #38 from andypitcher/expand-watch-permission

Add file watch permission from rke_logreader_t to container_var_lib_t
rancher · Dec 19, 2023 · 1946e04 · 1946e04
2 parents 4b6a0f4 + 7b54f40
commit 1946e04
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
@@ -41,7 +41,7 @@ allow rke_logreader_t container_log_t:dir { open read search };
 allow rke_logreader_t container_log_t:lnk_file { getattr read };
 allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
-allow rke_logreader_t container_var_lib_t:file { getattr open read };
+allow rke_logreader_t container_var_lib_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };

diff --git a/policy/centos9/rancher.te b/policy/centos9/rancher.te
@@ -41,7 +41,7 @@ allow rke_logreader_t container_log_t:dir { open read search };
 allow rke_logreader_t container_log_t:lnk_file { getattr read };
 allow rke_logreader_t container_log_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:dir search;
-allow rke_logreader_t container_var_lib_t:file { getattr open read };
+allow rke_logreader_t container_var_lib_t:file { getattr open read watch };
 allow rke_logreader_t container_var_lib_t:lnk_file { getattr read };
 allow rke_logreader_t syslogd_var_run_t:dir read;
 allow rke_logreader_t syslogd_var_run_t:file { getattr map open read };