From fddfbbb7836cabeb28feffb4602f4a3ae5016cdb Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 21 Aug 2019 09:53:31 -0400
Subject: [PATCH] Allow containers to execmod files on fusefs_t file systems

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 VERSION      | 2 +-
 container.te | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/VERSION b/VERSION
index 2c04776..a662988 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.114.0
+2.115.0
diff --git a/container.te b/container.te
index 4d8b888..68a7885 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.114.0)
+policy_module(container, 2.115.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -873,10 +873,8 @@ fs_mount_fusefs(container_domain)
 fs_unmount_fusefs(container_domain)
 fs_mounton_fusefs(container_domain)
 storage_rw_fuse(container_domain)
-allow container_domain fusefs_t:file mounton;
+allow container_domain fusefs_t:file { mounton execmod };
 allow container_domain fusefs_t:filesystem remount;
-#manage_fifo_files_pattern(container_domain, fusefs_t, fusefs_t)
-#manage_sock_files_pattern(container_domain, fusefs_t, fusefs_t)
 
 tunable_policy(`virt_sandbox_use_netlink',`
 	allow container_t self:netlink_socket create_socket_perms;