Skip to content

Commit

Permalink
Allow container domains to use container runtime tcp and udp sockets
Browse files Browse the repository at this point in the history 
Systemd socket activated containers are leaking tcp and udp sockets
into containers so that the container can handle the connections.

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
@rhatdan
rhatdan committed Feb 21, 2022
1 parent 9bc0e7e commit ec17f3b
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions container.te
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.178.0)
policy_module(container, 2.179.0)

gen_require(`
class passwd rootok;
Expand Down Expand Up @@ -850,7 +850,9 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
allow container_domain self:passwd rootok;
allow container_domain self:filesystem associate;
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
allow container_domain container_runtime_t:unix_stream_socket { accept ioctl read getattr lock write append getopt setopt };
allow container_domain container_runtime_domain:unix_stream_socket { accept ioctl read getattr lock write append getopt setopt };
allow container_domain container_runtime_domain:tcp_socket { accept ioctl read getattr lock write append getopt setopt };
allow container_domain container_runtime_domain:udp_socket { accept ioctl read getattr lock write append getopt setopt };

kernel_getattr_proc(container_domain)
kernel_list_all_proc(container_domain)
Expand Down

0 comments on commit ec17f3b

Please sign in to comment.