Merge pull request #255 from rhatdan/cert

Add boolean to allow containers to read all cert files
containers · Jun 15, 2023 · 124acb6 · 124acb6
2 parents c0328f4 + d6dfcc6
commit 124acb6
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/container.te b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.218.0)
+policy_module(container, 2.219.0)
 
 gen_require(`
 	class passwd rootok;
@@ -17,6 +17,13 @@ gen_require(`
 ## </desc>
 gen_tunable(container_connect_any, false)
 
+## <desc>
+##  <p>
+##  Allow all container domains to read cert files and directories
+##  </p>
+## </desc>
+gen_tunable(container_read_certs, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether sshd can launch container engines
@@ -606,6 +613,10 @@ tunable_policy(`container_use_cephfs',`
 	allow container_domain cephfs_t:file execmod;
 ')
 
+tunable_policy(`container_read_certs',`
+	miscfiles_read_all_certs(container_domain)
+')
+
 gen_require(`
 	type ecryptfs_t;
 ')