Merge pull request #294 from rhatdan/watch

Allow container domains to watch fifo_files
containers · Jan 11, 2024 · 48c2b45 · 48c2b45
2 parents 540fa9b + 26d4f23
commit 48c2b45
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/container.te b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.227.0)
+policy_module(container, 2.228.0)
 
 gen_require(`
 	class passwd rootok;
@@ -904,6 +904,7 @@ dontaudit container_domain self:dir { write add_name };
 allow container_domain self:file rw_file_perms;
 allow container_domain self:lnk_file read_file_perms;
 allow container_domain self:fifo_file create_fifo_file_perms;
+allow container_domain self:fifo_file watch;
 allow container_domain self:filesystem associate;
 allow container_domain self:key manage_key_perms;
 allow container_domain self:netlink_route_socket r_netlink_socket_perms;

diff --git a/rpm/container-selinux.spec b/rpm/container-selinux.spec
@@ -71,6 +71,7 @@ sed -i 's/^install: man/install:/' Makefile
 sed -i 's/watch watch_reads//' container.if
 sed -i 's/watch watch_reads//' container.te
 sed -i '/sysfs_t:dir watch/d' container.te
+sed -i '/fifo_file watch/d' container.te
 %endif
 
 %if %{defined no_systemd_chat_resolved}