container, podman: allow podman to restart container units

podman auto-update will automatically start the container unit when it is updated. Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-02 15:55:24 -04:00 · 2022-04-02 15:55:24 -04:00 · dcc90a0c3c
parent 43a9841746
commit dcc90a0c3c
2 changed files with 24 additions and 0 deletions
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@ -1382,6 +1382,26 @@ interface(`container_unlabeled_var_lib_filetrans',`
 	kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
 ')

+########################################
+## <summary>
+##	Allow the specified domain to start
+##	systemd units for containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_start_units',`
+	gen_require(`
+		type container_unit_t;
+		class service start;
+	')
+
+	allow $1 container_unit_t:service start;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@ -77,6 +77,10 @@ ifdef(`init_systemd',`
 	systemd_list_journal_dirs(podman_t)
 	systemd_read_journal_files(podman_t)
 	systemd_watch_journal_dirs(podman_t)
+
+	# podman auto-update will restart the unit for
+	# the container when it is updated
+	container_start_units(podman_t)
 ')

 ########################################