containers
/
container-selinux
mirror of https://github.com/containers/container-selinux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow container domains to watch fifo_files 

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2024-01-09 21:54:53 -05:00
parent 540fa9b5ff
commit 26d4f23ec1
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
container.te
View File

@ -1,4 +1,4 @@
policy_module(container, 2.227.0)
policy_module(container, 2.228.0)
gen_require(`
class passwd rootok;
@ -904,6 +904,7 @@ dontaudit container_domain self:dir { write add_name };
allow container_domain self:file rw_file_perms;
allow container_domain self:lnk_file read_file_perms;
allow container_domain self:fifo_file create_fifo_file_perms;
allow container_domain self:fifo_file watch;
allow container_domain self:filesystem associate;
allow container_domain self:key manage_key_perms;
allow container_domain self:netlink_route_socket r_netlink_socket_perms;

1
rpm/container-selinux.spec
View File

@ -71,6 +71,7 @@ sed -i 's/^install: man/install:/' Makefile
sed -i 's/watch watch_reads//' container.if
sed -i 's/watch watch_reads//' container.te
sed -i '/sysfs_t:dir watch/d' container.te
sed -i '/fifo_file watch/d' container.te
%endif
%if %{defined no_systemd_chat_resolved}