|
1 | | -policy_module(container, 2.133.0) |
| 1 | +policy_module(container, 2.134.0) |
2 | 2 | gen_require(` |
3 | 3 | class passwd rootok; |
4 | 4 | ') |
@@ -468,6 +468,7 @@ tunable_policy(`container_use_cephfs',` |
468 | 468 | exec_files_pattern(container_domain, cephfs_t, cephfs_t) |
469 | 469 | ') |
470 | 470 |
|
| 471 | +fs_manage_fusefs_named_sockets(container_runtime_domain) |
471 | 472 | fs_manage_fusefs_dirs(container_runtime_domain) |
472 | 473 | fs_manage_fusefs_files(container_runtime_domain) |
473 | 474 | fs_manage_fusefs_symlinks(container_runtime_domain) |
@@ -720,6 +721,8 @@ dev_dontaudit_mounton_sysfs(container_domain) |
720 | 721 | dev_dontaudit_mounton_sysfs(container_domain) |
721 | 722 |
|
722 | 723 | dontaudit container_domain container_runtime_tmpfs_t:dir read; |
| 724 | +allow container_domain container_runtime_tmpfs_t:dir mounton; |
| 725 | + |
723 | 726 | dev_getattr_mtrr_dev(container_domain) |
724 | 727 | dev_list_sysfs(container_domain) |
725 | 728 |
|
@@ -877,6 +880,8 @@ tunable_policy(`container_manage_cgroup',` |
877 | 880 | fs_manage_cgroup_files(container_domain) |
878 | 881 | ') |
879 | 882 |
|
| 883 | +fs_manage_fusefs_named_sockets(container_domain) |
| 884 | +fs_manage_fusefs_named_pipes(container_domain) |
880 | 885 | fs_manage_fusefs_dirs(container_domain) |
881 | 886 | fs_manage_fusefs_files(container_domain) |
882 | 887 | fs_manage_fusefs_symlinks(container_domain) |
@@ -1139,7 +1144,6 @@ fs_unmount_cgroup(container_engine_t) |
1139 | 1144 | fs_manage_cgroup_dirs(container_engine_t) |
1140 | 1145 | fs_manage_cgroup_files(container_engine_t) |
1141 | 1146 |
|
1142 | | -allow container_engine_t container_runtime_tmpfs_t:dir mounton; |
1143 | 1147 | allow container_engine_t proc_t:file mounton; |
1144 | 1148 | allow container_engine_t sysctl_t:file mounton; |
1145 | 1149 | allow container_engine_t sysfs_t:filesystem remount; |
|
0 commit comments