From 4e4e63ca13ea2a0133df8c07e7631ee064f07b70 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Mon, 14 Aug 2023 10:51:20 -0400
Subject: [PATCH] Allow spc_t to use execmod libraries on container file
 systems

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 container.te | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/container.te b/container.te
index 6d0cf01..c560d73 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.219.0)
+policy_module(container, 2.220.0)
 
 gen_require(`
 	class passwd rootok;
@@ -136,6 +136,7 @@ type container_devpts_t alias docker_devpts_t;
 term_pty(container_devpts_t)
 
 typealias container_ro_file_t alias { container_share_t docker_share_t };
+typeattribute container_ro_file_t container_file_type, user_home_type;
 files_mountpoint(container_ro_file_t)
 userdom_user_home_content(container_ro_file_t)
 
@@ -638,17 +639,15 @@ fs_unmount_fusefs(container_runtime_domain)
 fs_exec_fusefs_files(container_runtime_domain)
 storage_rw_fuse(container_runtime_domain)
 
-optional_policy(`
-    files_search_all(container_domain)
-    container_read_share_files(container_domain)
-    container_exec_share_files(container_domain)
-    allow container_domain container_ro_file_t:file execmod;
-    container_lib_filetrans(container_domain,container_file_t, sock_file)
-    container_use_ptys(container_domain)
-    container_spc_stream_connect(container_domain)
-    fs_dontaudit_remount_tmpfs(container_domain)
-    dev_dontaudit_mounton_sysfs(container_domain)
-')
+files_search_all(container_domain)
+container_read_share_files(container_domain)
+container_exec_share_files(container_domain)
+allow container_domain container_ro_file_t:file execmod;
+container_lib_filetrans(container_domain,container_file_t, sock_file)
+container_use_ptys(container_domain)
+container_spc_stream_connect(container_domain)
+fs_dontaudit_remount_tmpfs(container_domain)
+dev_dontaudit_mounton_sysfs(container_domain)
 
 optional_policy(`
 	apache_exec_modules(container_runtime_domain)
@@ -755,6 +754,7 @@ domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
 fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })
 
 allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
+allow spc_t container_file_type:file execmod;
 
 admin_pattern(spc_t, kubernetes_file_t)