staff, unconfined: allow container user access

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-12-23 09:54:00 -05:00 · 2021-12-23 09:54:00 -05:00 · cf5b35795b
parent 819cef6a76
commit cf5b35795b
2 changed files with 8 additions and 0 deletions
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@ -23,6 +23,10 @@ optional_policy(`
 	auditadm_role_change(staff_r)
 ')

+optional_policy(`
+	container_user_role(staff, staff_t, staff_application_exec_domain, staff_r)
+')
+
 optional_policy(`
 	dbadm_role_change(staff_r)
 ')
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -80,6 +80,10 @@ optional_policy(`
 	bootloader_run(unconfined_t, unconfined_r)
 ')

+optional_policy(`
+	container_user_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
+')
+
 optional_policy(`
 	cron_unconfined_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')