container_engine_t: another round of small improvements (#327)

Signed-off-by: Peter Hunt <pehunt@redhat.com>
containers · Sep 18, 2024 · bf1c37e · bf1c37e
1 parent cc5da8a
commit bf1c37e
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/container.te b/container.te
@@ -1450,11 +1450,13 @@ allow container_engine_t sysctl_t:{dir file} mounton;
 allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
 allow container_engine_t fusefs_t:file relabelto;
 allow container_engine_t kernel_t:system module_request;
-allow container_engine_t null_device_t:chr_file mounton;
+allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
 allow container_engine_t random_device_t:chr_file mounton;
 allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
 allow container_engine_t urandom_device_t:chr_file mounton;
 allow container_engine_t zero_device_t:chr_file mounton;
+allow container_engine_t container_file_t:sock_file mounton;
+allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
 
 manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)