Add /etc/cni to the rke2-selinux context (#67)

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

policy/centos7/rke2-selinux.spec

@@ -3,6 +3,7 @@
 %define rke2_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /opt/cni; \
+mkdir -p /etc/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
 mkdir -p /var/lib/rancher/rke2/data; \
@@ -12,6 +13,7 @@ restorecon -R -i /etc/systemd/system/rke2*; \
 restorecon -R -i /usr/lib/systemd/system/rke2*; \
 restorecon -R /var/lib/cni; \
 restorecon -R /opt/cni; \
+restorecon -R /etc/cni; \
 restorecon -R /var/lib/kubelet; \
 restorecon -R /var/lib/rancher; \
 restorecon -R /var/run/k3s; \

policy/centos7/rke2.fc

@@ -8,6 +8,7 @@
 /usr/local/bin/rke2                                                 --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /var/lib/cni(/.*)?                                                      gen_context(system_u:object_r:container_var_lib_t,s0)
 /opt/cni(/.*)?                                                          gen_context(system_u:object_r:container_file_t,s0)
+/etc/cni(/.*)?                                                          gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubelet/pods(/.*)?                                             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/rancher/rke2(/.*)?                                             gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/rancher/rke2/data(/.*)?                                        gen_context(system_u:object_r:container_runtime_exec_t,s0)

policy/centos8/rke2-selinux.spec

@@ -3,6 +3,7 @@
 %define rke2_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /opt/cni; \
+mkdir -p /etc/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
 mkdir -p /var/lib/rancher/rke2/data; \
@@ -12,6 +13,7 @@ restorecon -R -i /etc/systemd/system/rke2*; \
 restorecon -R -i /usr/lib/systemd/system/rke2*; \
 restorecon -R /var/lib/cni; \
 restorecon -R /opt/cni; \
+restorecon -R /etc/cni; \
 restorecon -R /var/lib/kubelet; \
 restorecon -R /var/lib/rancher; \
 restorecon -R /var/run/k3s; \

policy/centos8/rke2.fc

@@ -12,6 +12,7 @@
 /usr/local/bin/rke2                                                 --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
 #/var/lib/cni(/.*)?                                                      gen_context(system_u:object_r:container_var_lib_t,s0)
 /opt/cni(/.*)?                                                           gen_context(system_u:object_r:container_file_t,s0)
+/etc/cni(/.*)?                                                           gen_context(system_u:object_r:container_file_t,s0)
 #/var/lib/kubelet/pods(/.*)?                                             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/rancher/rke2(/.*)?                                             gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/rancher/rke2/data(/.*)?                                        gen_context(system_u:object_r:container_runtime_exec_t,s0)

policy/centos9/rke2-selinux.spec

@@ -3,6 +3,7 @@
 %define rke2_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /opt/cni; \
+mkdir -p /etc/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
 mkdir -p /var/lib/rancher/rke2/data; \
@@ -13,6 +14,7 @@ restorecon -R -i /usr/local/lib/systemd/system/rke2*; \
 restorecon -R -i /usr/lib/systemd/system/rke2*; \
 restorecon -R /var/lib/cni; \
 restorecon -R /opt/cni; \
+restorecon -R /etc/cni; \
 restorecon -R /var/lib/kubelet; \
 restorecon -R /var/lib/rancher; \
 restorecon -R /var/run/k3s; \

policy/centos9/rke2.fc

@@ -12,6 +12,7 @@
 /usr/local/bin/rke2                                                 --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
 #/var/lib/cni(/.*)?                                                      gen_context(system_u:object_r:container_var_lib_t,s0)
 /opt/cni(/.*)?                                                           gen_context(system_u:object_r:container_file_t,s0)
+/etc/cni(/.*)?                                                           gen_context(system_u:object_r:container_file_t,s0)
 #/var/lib/kubelet/pods(/.*)?                                             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/rancher/rke2(/.*)?                                             gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/rancher/rke2/data(/.*)?                                        gen_context(system_u:object_r:container_runtime_exec_t,s0)

policy/microos/rke2-selinux.spec

@@ -3,6 +3,7 @@
 %define rke2_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /opt/cni; \
+mkdir -p /etc/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
 mkdir -p /var/lib/rancher/rke2/data; \
@@ -12,6 +13,7 @@ restorecon -R -i /etc/systemd/system/rke2*; \
 restorecon -R -i /usr/lib/systemd/system/rke2*; \
 restorecon -R /var/lib/cni; \
 restorecon -R /opt/cni; \
+restorecon -R /etc/cni; \
 restorecon -R /var/lib/kubelet; \
 restorecon -R /var/lib/rancher; \
 restorecon -R /var/run/k3s; \

policy/microos/rke2.fc

@@ -12,6 +12,7 @@
 /usr/local/bin/rke2                                                 --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
 #/var/lib/cni(/.*)?                                                      gen_context(system_u:object_r:container_var_lib_t,s0)
 /opt/cni(/.*)?                                                           gen_context(system_u:object_r:container_file_t,s0)
+/etc/cni(/.*)?                                                           gen_context(system_u:object_r:container_file_t,s0)
 #/var/lib/kubelet/pods(/.*)?                                             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/rancher/rke2(/.*)?                                             gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/rancher/rke2/data(/.*)?                                        gen_context(system_u:object_r:container_runtime_exec_t,s0)

policy/slemicro/rke2-selinux.spec

@@ -3,6 +3,7 @@
 %define rke2_relabel_files() \
 mkdir -p /var/lib/cni; \
 mkdir -p /opt/cni; \
+mkdir -p /etc/cni; \
 mkdir -p /var/lib/kubelet/pods; \
 mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
 mkdir -p /var/lib/rancher/rke2/data; \
@@ -12,6 +13,7 @@ restorecon -R -i /etc/systemd/system/rke2*; \
 restorecon -R -i /usr/lib/systemd/system/rke2*; \
 restorecon -R /var/lib/cni; \
 restorecon -R /opt/cni; \
+restorecon -R /etc/cni; \
 restorecon -R /var/lib/kubelet; \
 restorecon -R /var/lib/rancher; \
 restorecon -R /var/run/k3s; \

policy/slemicro/rke2.fc

@@ -13,6 +13,7 @@
 /opt/rke2/bin/rke2                                                  --  gen_context(system_u:object_r:container_runtime_exec_t,s0)
 #/var/lib/cni(/.*)?                                                      gen_context(system_u:object_r:container_var_lib_t,s0)
 /opt/cni(/.*)?                                                           gen_context(system_u:object_r:container_file_t,s0)
+/etc/cni(/.*)?                                                           gen_context(system_u:object_r:container_file_t,s0)
 #/var/lib/kubelet/pods(/.*)?                                             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/rancher/rke2(/.*)?                                             gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/rancher/rke2/data(/.*)?                                        gen_context(system_u:object_r:container_runtime_exec_t,s0)