diff --git a/packaging/selinux/microshift.te b/packaging/selinux/microshift.te index 175b926e8a..0d9ef586b8 100644 --- a/packaging/selinux/microshift.te +++ b/packaging/selinux/microshift.te @@ -4,15 +4,9 @@ type microshift_t; domain_type(microshift_t); gen_require(` - type kubelet_t, var_lib_t, container_var_lib_t, kernel_t; + type kubelet_t, var_lib_t, container_var_lib_t; ') -# Workaround for kernel 7.x composefs/overlayfs SELinux regression (USHIFT-7215). -# CRI-O runs as kernel_t instead of container_runtime_t on composefs, which denies -# execmem needed for text relocations. Upstream fix: kernel v7.1-rc1 commits -# 880bd496ec72, 6af36aeb147a, 82544d36b172. Remove when backported to RHEL 10.2 kernel. -allow kernel_t self:process execmem; - # When microshift creates backup folders in /var/lib/microshift-backups, the correct labels are applied # Note: filetrans_pattern rules states; # Process running as `kubelet_t` that creates a `dir` called `microshift-backups` diff --git a/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile b/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile index d4bf2dbf96..a97ab03532 100644 --- a/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile +++ b/test/image-blueprints-bootc/el10/layer1-base/group1/rhel102-test-agent.containerfile @@ -1,4 +1,4 @@ -FROM registry.stage.redhat.io/rhel10/rhel-bootc:10.2 +FROM registry.redhat.io/rhel10/rhel-bootc:10.2 # Build arguments ARG USHIFT_RPM_REPO_NAME=microshift-local