commit: c3c8df115b607376bebaa6401e8839475ee93c3c Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Wed Dec 7 14:53:58 2022 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Tue Dec 13 19:07:33 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3c8df11
container: add rules required for metallb BGP speakers Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/services/container.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 458e392d9..534d6f4c5 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -425,6 +425,8 @@ corenet_tcp_sendrecv_generic_node(container_net_domain) corenet_udp_sendrecv_generic_node(container_net_domain) corenet_tcp_bind_generic_node(container_net_domain) corenet_udp_bind_generic_node(container_net_domain) +# for metallb BGP speakers +corenet_raw_bind_generic_node(container_net_domain) corenet_sendrecv_all_server_packets(container_net_domain) corenet_tcp_bind_all_ports(container_net_domain) @@ -456,6 +458,8 @@ files_read_kernel_modules(container_t) fs_mount_cgroup(container_t) fs_rw_cgroup_files(container_t) +# for metallb BGP speakers +fs_read_nsfs_files(container_t) kernel_read_vm_overcommit_sysctl(container_t)
