container, init: allow init to remount container filesystems
Allow init to remount container filesystems. This is in support of other services starting with NoNewPrivileges while already running containers have mounted filesystems. Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
4fd2a2ecbc
commit
0e3ce95c94
|
@ -1099,6 +1099,25 @@ interface(`container_relabel_all_content',`
|
||||||
allow $1 container_file_t:dir_file_class_set { relabelfrom relabelto };
|
allow $1 container_file_t:dir_file_class_set { relabelfrom relabelto };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow the specified domain to
|
||||||
|
## remount container filesystems.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`container_remount_fs',`
|
||||||
|
gen_require(`
|
||||||
|
type container_file_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 container_file_t:filesystem remount;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the specified domain to
|
## Allow the specified domain to
|
||||||
|
|
|
@ -543,6 +543,10 @@ ifdef(`init_systemd',`
|
||||||
clock_read_adjtime(init_t)
|
clock_read_adjtime(init_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
container_remount_fs(init_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
systemd_dbus_chat_logind(init_t)
|
systemd_dbus_chat_logind(init_t)
|
||||||
systemd_search_all_user_keys(init_t)
|
systemd_search_all_user_keys(init_t)
|
||||||
|
|
Loading…
Reference in New Issue