From 0e3ce95c94e11d5847f6a3cbf9e7dfc3db2b4385 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 31 Mar 2022 15:04:26 -0400
Subject: [PATCH] container, init: allow init to remount container filesystems

Allow init to remount container filesystems. This is in support of other
services starting with NoNewPrivileges while already running containers
have mounted filesystems.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.if | 19 +++++++++++++++++++
 policy/modules/system/init.te        |  4 ++++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index bf5ecfb5d..541eb8a5a 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1099,6 +1099,25 @@ interface(`container_relabel_all_content',`
 	allow $1 container_file_t:dir_file_class_set { relabelfrom relabelto };
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	remount container filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_remount_fs',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:filesystem remount;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c6635d834..5f9427bbe 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -543,6 +543,10 @@ ifdef(`init_systemd',`
 		clock_read_adjtime(init_t)
 	')
 
+	optional_policy(`
+		container_remount_fs(init_t)
+	')
+
 	optional_policy(`
 		systemd_dbus_chat_logind(init_t)
 		systemd_search_all_user_keys(init_t)