From 028ab0049681265664a3bbae7501bc5bddcd6cc0 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Mon, 19 Aug 2019 08:03:42 -0400
Subject: [PATCH] Allow containers to setattr on their processes link files

Also allow remounting of /proc.  These AVCs are seen
when attempt to run buildah within a user namespace
separated container.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 VERSION      | 2 +-
 container.te | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/VERSION b/VERSION
index 350d3d9..2c04776 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.113.0
+2.114.0
diff --git a/container.te b/container.te
index fba833a..4d8b888 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.113.0)
+policy_module(container, 2.114.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -659,6 +659,7 @@ allow container_domain container_runtime_t:fifo_file { rw_fifo_file_perms map };
 allow container_domain container_runtime_t:fd use;
 allow container_runtime_t container_domain:fd use;
 allow container_domain self:socket_class_set { create_socket_perms map accept };
+allow container_domain self:lnk_file setattr;
 
 dontaudit container_domain self:capability fsetid;
 allow container_domain self:association sendto;
@@ -1038,3 +1039,5 @@ gen_require(`
 	attribute device_node;
 ')
 dontaudit container_domain device_node:chr_file setattr;
+
+allow container_t proc_t:filesystem remount;