From 9b1ebb6170d69402baaa639d29807fda98f45390 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 5 May 2021 06:38:13 -0400
Subject: [PATCH] Add support for lockdown:confidentiality to container_runtime

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 container.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/container.te b/container.te
index 456acd1..aa792d4 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.160.2)
+policy_module(container, 2.161.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -114,6 +114,7 @@ mls_trusted_object(container_runtime_t)
 #
 allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource };
 allow container_runtime_domain self:tun_socket { create_socket_perms relabelto };
+allow container_runtime_domain self:lockdown { confidentiality integrity };
 allow container_runtime_domain self:process ~setcurrent;
 allow container_runtime_domain self:passwd rootok;
 allow container_runtime_domain self:fd use;