container: allow generic containers to read the vm_overcommit sysctl

Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-31 15:09:45 -04:00 · 2022-03-31 15:09:45 -04:00 · 5dbc5aa25d
parent 0e3ce95c94
commit 5dbc5aa25d
1 changed files with 2 additions and 0 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -333,6 +333,8 @@ files_read_kernel_modules(container_t)
 fs_mount_cgroup(container_t)
 fs_rw_cgroup_files(container_t)

+kernel_read_vm_overcommit_sysctl(container_t)
+
 auth_use_nsswitch(container_t)

 logging_send_audit_msgs(container_t)