To expand on above I have found myself having to make SELinux policy changes to allow access to the docker socket so that I can run cadvisor, a prometheus exporter, providing it the ability to give me insight into running containers.
This has involved a bit of ignition such as below and then the execution post-boot of:
sudo semodule -i /etc/acme-corp/dockersock.cil
If anyone has a better way to get cadvisor running properly I’d be much obliged.
# SELinux policies written in cil format can simpy be installed with
# semodule command. We do this as part of post-boot processes. Is there
# an easier way?
- path: /etc/acme-corp/dockersock.cil
(typeattributeset cil_gen_require docker_var_run_t)
(typeattributeset cil_gen_require docker_t)
(typeattributeset cil_gen_require svirt_lxc_net_t)
(allow svirt_lxc_net_t docker_t (unix_stream_socket (connectto)))
(allow svirt_lxc_net_t docker_var_run_t (sock_file (write)))