diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-05-06 16:38:43 -0400 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:41:47 -0400 |
commit | b85214ca8e0a693d0b903fd31da74b6d6be4667b (patch) | |
tree | 3e4b222c8a9f5dc4b407368882f84ffdc63fe758 | |
parent | matrixd: add tunable for binding to all unreserved ports (diff) | |
download | hardened-refpolicy-b85214ca8e0a693d0b903fd31da74b6d6be4667b.tar.gz hardened-refpolicy-b85214ca8e0a693d0b903fd31da74b6d6be4667b.tar.bz2 hardened-refpolicy-b85214ca8e0a693d0b903fd31da74b6d6be4667b.zip |
container: allow system container engines to mmap runtime files
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/services/container.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 096d6c23..9699ac36 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain, container_var_lib_t, container filetrans_pattern(container_engine_system_domain, container_var_lib_t, container_file_t, dir, "volumes") allow container_engine_system_domain container_runtime_t:dir { manage_dir_perms relabel_dir_perms watch }; -allow container_engine_system_domain container_runtime_t:file { manage_file_perms relabel_file_perms watch }; +allow container_engine_system_domain container_runtime_t:file { mmap_manage_file_perms relabel_file_perms watch }; allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |