Additional rules required for kvm containers

Since container_kvm_t can mount /proc, allow it to unmount /proc. container_t is allowed to write to syslog, so should container_kvm_t. Allow dgram packets to be sent to the kernel, but virtiofsd. Signed-off-by: Daniel J Walsh <[email protected]>
containers · Oct 22, 2020 · e80cdf3 · e80cdf3
1 parent 9b3b66f
commit e80cdf3
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/container.te b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.148.0)
+policy_module(container, 2.149.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -1158,9 +1158,12 @@ corecmd_bin_entry_type(container_kvm_t)
 # virtiofs causes these AVC messages.
 kernel_mount_proc(container_kvm_t)
 kernel_mounton_proc(container_kvm_t)
+kernel_unmount_proc(container_kvm_t)
+kernel_dgram_send(container_kvm_t)
 files_mounton_rootfs(container_kvm_t)
 
 auth_read_passwd(container_kvm_t)
+logging_send_syslog_msg(container_kvm_t)
 
 optional_policy(`
 	qemu_entry_type(container_kvm_t)