Add support for Centos8 and MicroOs

andypitcher · Jan 15, 2025 · 7cd7d57 · 7cd7d57
1 parent 38232c2
commit 7cd7d57
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/policy/centos8/rancher.te b/policy/centos8/rancher.te
@@ -103,3 +103,19 @@ manage_files_pattern(rke_network_t, var_run_t, var_run_t)
 allow rke_network_t kernel_t:system module_request;
 allow rke_network_t kernel_t:unix_dgram_socket sendto;
 allow rke_network_t self:netlink_route_socket nlmsg_write;
+
+############################################################################
+# type prom_node_exporter_t                                                #
+# target: prometheus-node-exporter container for Rancher monitoring chart  #
+############################################################################
+gen_require(`
+        type container_runtime_t;
+        class tcp_socket listen;
+')
+container_domain_template(prom_node_exporter, container)
+virt_sandbox_domain(prom_node_exporter_t)
+corenet_tcp_bind_generic_node(prom_node_exporter_t)
+corenet_tcp_bind_generic_port(prom_node_exporter_t)
+init_read_state(prom_node_exporter_t)
+selinux_read_security_files(prom_node_exporter_t)
+allow prom_node_exporter_t self:tcp_socket listen;
diff --git a/policy/microos/rancher.te b/policy/microos/rancher.te
@@ -103,3 +103,19 @@ manage_files_pattern(rke_network_t, var_run_t, var_run_t)
 allow rke_network_t kernel_t:system module_request;
 allow rke_network_t kernel_t:unix_dgram_socket sendto;
 allow rke_network_t self:netlink_route_socket nlmsg_write;
+
+############################################################################
+# type prom_node_exporter_t                                                #
+# target: prometheus-node-exporter container for Rancher monitoring chart  #
+############################################################################
+gen_require(`
+        type container_runtime_t;
+        class tcp_socket listen;
+')
+container_domain_template(prom_node_exporter, container)
+virt_sandbox_domain(prom_node_exporter_t)
+corenet_tcp_bind_generic_node(prom_node_exporter_t)
+corenet_tcp_bind_generic_port(prom_node_exporter_t)
+init_read_state(prom_node_exporter_t)
+selinux_read_security_files(prom_node_exporter_t)
+allow prom_node_exporter_t self:tcp_socket listen;