From cdc026e081113bc262a5183640d4fcde761858ce Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Mon, 6 May 2024 17:19:44 -0400
Subject: container, crio, kubernetes: minor fixes

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/container.te  | 1 +
 policy/modules/services/crio.te       | 1 +
 policy/modules/services/kubernetes.te | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 68aa97ae5..095308a13 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms;
 allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow spc_t self:netlink_generic_socket create_socket_perms;
 allow spc_t self:netlink_netfilter_socket create_socket_perms;
+allow spc_t self:netlink_tcpdiag_socket nlmsg_read;
 allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow spc_t self:perf_event { cpu kernel open read };
 
diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
index 3dd616f7a..91306d80e 100644
--- a/policy/modules/services/crio.te
+++ b/policy/modules/services/crio.te
@@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t)
 
 container_kill_all_containers(crio_conmon_t)
 container_read_all_container_state(crio_conmon_t)
+container_signal_system_containers(crio_conmon_t)
 
 # for kubernetes debug pods
 container_use_container_ptys(crio_conmon_t)
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 58292de85..3ba666299 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t)
 container_manage_log_dirs(kubelet_t)
 container_manage_log_files(kubelet_t)
 container_manage_log_symlinks(kubelet_t)
+container_watch_log_dirs(kubelet_t)
 container_watch_log_files(kubelet_t)
 container_log_filetrans(kubelet_t, { dir file })
 
@@ -617,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain)
 # kubectl local policy
 #
 
+kernel_dontaudit_getattr_proc(kubectl_t)
+
 auth_use_nsswitch(kubectl_t)
 
 # not required, but convenient for using config commands
-- 
cgit v1.2.3-65-gdbad