From bf1c37e40955a92dff4593325d5dc061eda680b6 Mon Sep 17 00:00:00 2001
From: Peter Hunt <pehunt@redhat.com>
Date: Wed, 18 Sep 2024 06:07:12 -0400
Subject: [PATCH] container_engine_t: another round of small improvements
 (#327)

Signed-off-by: Peter Hunt <pehunt@redhat.com>
---
 container.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/container.te b/container.te
index 989a026..8c3c203 100644
--- a/container.te
+++ b/container.te
@@ -1450,11 +1450,13 @@ allow container_engine_t sysctl_t:{dir file} mounton;
 allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
 allow container_engine_t fusefs_t:file relabelto;
 allow container_engine_t kernel_t:system module_request;
-allow container_engine_t null_device_t:chr_file mounton;
+allow container_engine_t null_device_t:chr_file { mounton setattr_chr_file_perms };
 allow container_engine_t random_device_t:chr_file mounton;
 allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
 allow container_engine_t urandom_device_t:chr_file mounton;
 allow container_engine_t zero_device_t:chr_file mounton;
+allow container_engine_t container_file_t:sock_file mounton;
+allow container_engine_t container_runtime_tmpfs_t:dir { ioctl list_dir_perms };
 
 manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)