fix(NODE-1498): allow read access to more hardware info for node_expo…

…rter (#2121) Give prometheus `node_exporter` more read access to device info: * Allow reading udev state data from /run/udev/data * Allow reading /proc/pressure * Allow reading under mount points with mnt_t (NODE-1498)
dfinity · Oct 18, 2024 · 2ce147d · 2ce147d
1 parent b545f6b
commit 2ce147d
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/ic-os/components/selinux/node_exporter/node_exporter.te b/ic-os/components/selinux/node_exporter/node_exporter.te
@@ -115,3 +115,12 @@ require {
     type user_runtime_root_t;
 }
 allow node_exporter_t user_runtime_root_t:dir { search };
+
+# Allow reading udev state data from /run/udev/data
+udev_read_runtime_files(node_exporter_t)
+
+# Allow reading /proc/pressure
+kernel_read_psi(node_exporter_t)
+
+# Allow reading under mount points with mnt_t
+files_list_mnt(node_exporter_t)