Dontaudit attempts by containers to write systectls

Signed-off-by: Daniel J Walsh <[email protected]>
containers · Oct 11, 2019 · 79bdcb5 · 79bdcb5
1 parent bfde70a
commit 79bdcb5
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.117.0
+2.118.0
diff --git a/container.te b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.117.0)
+policy_module(container, 2.118.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -1032,7 +1032,9 @@ container_runtime_read_tmpfs_files(init_t)
 
 gen_require(`
 	attribute device_node;
+	attribute sysctl_type;
 ')
 dontaudit container_domain device_node:chr_file setattr;
+dontaudit container_domain sysctl_type:file write;
 
 allow container_t proc_t:filesystem remount;