Allow containers to setattr on their processes link files

Also allow remounting of /proc. These AVCs are seen when attempt to run buildah within a user namespace separated container. Signed-off-by: Daniel J Walsh <[email protected]>
containers · Aug 19, 2019 · 028ab00 · 028ab00
1 parent 4f7d6bb
commit 028ab00
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.113.0
+2.114.0
diff --git a/container.te b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.113.0)
+policy_module(container, 2.114.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -659,6 +659,7 @@ allow container_domain container_runtime_t:fifo_file { rw_fifo_file_perms map };
 allow container_domain container_runtime_t:fd use;
 allow container_runtime_t container_domain:fd use;
 allow container_domain self:socket_class_set { create_socket_perms map accept };
+allow container_domain self:lnk_file setattr;
 
 dontaudit container_domain self:capability fsetid;
 allow container_domain self:association sendto;
@@ -1038,3 +1039,5 @@ gen_require(`
 	attribute device_node;
 ')
 dontaudit container_domain device_node:chr_file setattr;
+
+allow container_t proc_t:filesystem remount;