Skip to content

Commit

Permalink
Adds SELinux custom module for the afterburn systemd units
Browse files Browse the repository at this point in the history
the afterburn systemd units fail as the SELinux domain of the afterburn binary is restricted from changing the content of files in /run, /run/metadata and /home/$user/.ssh. This commit adds a afterburn-custom.cil SELinux module to allow the afterburn services to succeed and the nodes to properly join a cluster. The module is loaded by the okd-selinux.service implemented by 336013f

Refers openshift#1555
  • Loading branch information
aleskandro committed Jul 18, 2024
1 parent a19f1b3 commit 11f7e8c
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions overlay.d/50scos/usr/lib/okd/selinux/afterburn.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
(typeattributeset cil_gen_require var_run_t)
(typeattributeset cil_gen_require afterburn_t)
(typeattributeset cil_gen_require ssh_home_t)
(allow afterburn_t ssh_home_t (dir (read search)))
(allow afterburn_t ssh_home_t (dir (open)))
(allow afterburn_t var_run_t (dir (add_name create write)))
(allow afterburn_t var_run_t (file (create open write)))

0 comments on commit 11f7e8c

Please sign in to comment.