From 2ce147d64e983699333f701931b06e43c2d45e16 Mon Sep 17 00:00:00 2001
From: nabdullindfinity <135595192+nabdullindfinity@users.noreply.github.com>
Date: Fri, 18 Oct 2024 16:25:32 +0200
Subject: [PATCH] fix(NODE-1498): allow read access to more hardware info for
 node_exporter (#2121)

Give prometheus `node_exporter` more read access to device info:
* Allow reading udev state data from /run/udev/data
* Allow reading /proc/pressure
* Allow reading under mount points with mnt_t

(NODE-1498)
---
 ic-os/components/selinux/node_exporter/node_exporter.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ic-os/components/selinux/node_exporter/node_exporter.te b/ic-os/components/selinux/node_exporter/node_exporter.te
index 5f9e149e8f8..0d0d4c5acf2 100644
--- a/ic-os/components/selinux/node_exporter/node_exporter.te
+++ b/ic-os/components/selinux/node_exporter/node_exporter.te
@@ -115,3 +115,12 @@ require {
     type user_runtime_root_t;
 }
 allow node_exporter_t user_runtime_root_t:dir { search };
+
+# Allow reading udev state data from /run/udev/data
+udev_read_runtime_files(node_exporter_t)
+
+# Allow reading /proc/pressure
+kernel_read_psi(node_exporter_t)
+
+# Allow reading under mount points with mnt_t
+files_list_mnt(node_exporter_t)
\ No newline at end of file