Skip to content

Commit 4c51e97

Browse files
rhatdanrhatdan
committed
Allow spc_t domains to set bpf rules on any domain
Signed-off-by: Daniel J Walsh <[email protected]>
1 parent 99b40c5 commit 4c51e97

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

container.te

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
policy_module(container, 2.163.0)
1+
policy_module(container, 2.164.0)
22

33
gen_require(`
44
class passwd rootok;
@@ -667,6 +667,9 @@ optional_policy(`
667667
optional_policy(`
668668
unconfined_domain_noaudit(spc_t)
669669
domain_ptrace_all_domains(spc_t)
670+
// This should eventually be in upstream policy.
671+
// https://github.com/fedora-selinux/selinux-policy/pull/806
672+
allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
670673
')
671674

672675
optional_policy(`

0 commit comments

Comments
 (0)