Update SELinux policy to support linkerd-cni #1162

lachlan-smith · 2024-01-07T13:47:07Z

Found some issues with the SELinux policy when trying to chain the Linkerd CNI plugin with Cilium. Determined additional required policy statements by running grep "denied" /var/log/audit/audit.log | audit2allow -M linkerd until no more denied errors logged. Patched in the additional statements to existing SELinux module.

For reference, generated module was:

require {
        type etc_t;
        type container_t;
        class file { create setattr unlink write };
        class dir watch;
}

#============= container_t ==============

#!!!! This avc is allowed in the current policy
allow container_t etc_t:dir watch;

#!!!! This avc is allowed in the current policy
allow container_t etc_t:file { create setattr unlink write };```

Silvest89 · 2024-01-08T06:08:43Z

@mysticaltech

mysticaltech

LGTM, thanks @lachlan-smith

mysticaltech · 2024-01-08T10:57:20Z

@lachlan-smith @Silvest89 Fix released in v2.11.7. Enjoy and don't hesitate to shoot more PRs please, this help is truly appreciate it.

Update SELinux policy to support linkerd-cni

1ad4e95

Silvest89 requested a review from mysticaltech January 8, 2024 06:08

mysticaltech approved these changes Jan 8, 2024

View reviewed changes

mysticaltech merged commit 00227b5 into kube-hetzner:master Jan 8, 2024
3 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update SELinux policy to support linkerd-cni #1162

Update SELinux policy to support linkerd-cni #1162

lachlan-smith commented Jan 7, 2024

Silvest89 commented Jan 8, 2024

mysticaltech left a comment

mysticaltech commented Jan 8, 2024

Update SELinux policy to support linkerd-cni #1162

Update SELinux policy to support linkerd-cni #1162

Conversation

lachlan-smith commented Jan 7, 2024

Silvest89 commented Jan 8, 2024

mysticaltech left a comment

Choose a reason for hiding this comment

mysticaltech commented Jan 8, 2024