commit: b85214ca8e0a693d0b903fd31da74b6d6be4667b
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May 6 20:38:43 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:47 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b85214ca
container: allow system container engines to mmap runtime files
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/container.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 096d6c23d..9699ac36d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain,
container_var_lib_t, container
filetrans_pattern(container_engine_system_domain, container_var_lib_t,
container_file_t, dir, "volumes")
allow container_engine_system_domain container_runtime_t:dir {
manage_dir_perms relabel_dir_perms watch };
-allow container_engine_system_domain container_runtime_t:file {
manage_file_perms relabel_file_perms watch };
+allow container_engine_system_domain container_runtime_t:file {
mmap_manage_file_perms relabel_file_perms watch };
allow container_engine_system_domain container_runtime_t:fifo_file {
manage_fifo_file_perms relabel_fifo_file_perms };
allow container_engine_system_domain container_runtime_t:lnk_file {
manage_lnk_file_perms relabel_lnk_file_perms };
allow container_engine_system_domain container_runtime_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
