Skip to content

Commit

Permalink
dontaudit spc_t to mmap_zero
Browse files Browse the repository at this point in the history 
For some apps running under docker, docker attempts
emulation mode triggering this AVC.

No reason to now allow it.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2297712

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
  • Loading branch information
@rhatdan @lsm5
rhatdan authored and lsm5 committed Sep 18, 2024
1 parent 6e7f8a9 commit af5a09c
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion container.te
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.233.0)
policy_module(container, 2.234.0)

gen_require(`
class passwd rootok;
Expand Down Expand Up @@ -757,6 +757,7 @@ tunable_policy(`container_connect_any',`
#
allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
role system_r types spc_t;
dontaudit spc_t self:memprotect mmap_zero;

domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
Expand Down

0 comments on commit af5a09c

Please sign in to comment.