From 341fb1d2533177ab6224e2292e2611ba46f7c3d3 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 29 Aug 2023 07:31:10 -0400
Subject: [PATCH] Don't allow containers to read /var/lib/kublet/pods by
 default

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 container.fc | 1 -
 container.te | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/container.fc b/container.fc
index 6ebf81f..8641bf5 100644
--- a/container.fc
+++ b/container.fc
@@ -137,7 +137,6 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:
 
 /var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
-/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
 /var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)
 
diff --git a/container.te b/container.te
index 7846ead..9eecf21 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.221.0)
+policy_module(container, 2.221.1)
 
 gen_require(`
 	class passwd rootok;