From 690076c7a8173c05d906c4717da26fd904a69700 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 22 Mar 2021 16:57:07 -0400 Subject: [PATCH] Allow containers to write to /dev/rand, /dev/urand Since non privileged users are able to write to /dev/random and /dev/urandom, I see no reason to block this with SELinux. Running systemd inside of a rootless container requires this. Signed-off-by: Daniel J Walsh --- container.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/container.te b/container.te index cd4b7ef..b2c8407 100644 --- a/container.te +++ b/container.te @@ -1,4 +1,4 @@ -policy_module(container, 2.158.0) +policy_module(container, 2.159.0) gen_require(` class passwd rootok; ') @@ -885,7 +885,9 @@ fs_mounton_cgroup(container_t) fs_unmount_cgroup(container_t) dev_read_rand(container_domain) +dev_write_rand(container_domain) dev_read_urand(container_domain) +dev_write_urand(container_domain) files_read_kernel_modules(container_domain)