Created
June 13, 2025 07:11
-
-
Save jhoelzel/74e015c2ce0a6729079cf29557ff8714 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########### Custom SeLinux policy to allow rke2 to write to a specified log directory other than /var/lib/ | |
| module rke2_log 1.0; | |
| type rke2_log_t; | |
| require { | |
| attribute file_type; | |
| type rke2_service_t; | |
| class dir { create read write add_name remove_name setattr search open }; | |
| class file { create read write append getattr open }; | |
| } | |
| # mark it as a file type | |
| typeattribute rke2_log_t file_type; | |
| # allow your service to manage the log directory… | |
| allow rke2_service_t rke2_log_t:dir { | |
| create read write add_name remove_name setattr search open | |
| }; | |
| # …and the log files themselves | |
| allow rke2_service_t rke2_log_t:file { | |
| create read write append getattr open | |
| }; | |
| ############### | |
| # Create a directory RKE2 is already permitted to write: | |
| mkdir -p /var/log/rke2/audit | |
| chown root:root /var/log/rke2/audit | |
| semanage fcontext -a -t rke2_log_t "/var/log/rke2(/.*)?" | |
| restorecon -Rv /var/log/rke2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment