File tree Expand file tree Collapse file tree 1 file changed +10
-0
lines changed Expand file tree Collapse file tree 1 file changed +10
-0
lines changed Original file line number Diff line number Diff line change @@ -1653,6 +1653,10 @@ allow container_t tmpfs_t:filesystem remount;
16531653allow userdomain container_runtime_t:tcp_socket { bind create getopt listen setopt };
16541654allow userdomain container_runtime_t:udp_socket { bind create getopt listen setopt };
16551655
1656+ # When shutting down, systemd will stop the container before the socket unit, so
1657+ # ignore any AVC denials from systemd trying to accept the socket
1658+ dontaudit userdomain container_runtime_t:tcp_socket accept;
1659+
16561660# Allow systemd to kill containers (needed for when stopping a Quadlet service
16571661# times out)
16581662allow userdomain container_runtime_t:process { sigkill signal signull };
@@ -1661,3 +1665,9 @@ allow userdomain container_t:process { sigkill signal signull };
16611665# Needed for "podman build" to work as a confined user
16621666allow userdomain container_ro_file_t:dir mounton;
16631667allow userdomain self:capability setuid;
1668+
1669+ # Harmless AVC denial
1670+ dontaudit container_runtime_t self:process2 nnp_transition;
1671+
1672+ # Ignore containers trying to chown stdin/stdout/stderr
1673+ dontaudit container_t container_runtime_t:fifo_file setattr;
You can’t perform that action at this time.
0 commit comments