diff options
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/kernel/devices.if | 18 | ||||
-rw-r--r-- | policy/modules/services/kubernetes.te | 4 |
2 files changed, 22 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index a2d55ded..d1536573 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2067,6 +2067,24 @@ interface(`dev_manage_dri_dev',` ######################################## ## <summary> +## Mount on the dri devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_mounton_dri_dev',` + gen_require(` + type dri_device_t; + ') + + allow $1 dri_device_t:chr_file mounton; +') + +######################################## +## <summary> ## Automatic type transition to the type ## for DRI device nodes when created in /dev. ## </summary> diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 8a13be60..a10ec550 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -147,6 +147,10 @@ tunable_policy(`container_read_public_content',` miscfiles_mounton_all_public_files(kubernetes_container_engine_domain) ') +tunable_policy(`container_use_dri',` + dev_mounton_dri_dev(kubernetes_container_engine_domain) +') + tunable_policy(`container_use_nfs',` fs_getattr_nfs(kubernetes_container_engine_domain) fs_remount_nfs(kubernetes_container_engine_domain) |