RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

container: add missing capabilities 

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-03-31 15:16:26 -04:00
parent 53e708e724
commit f0c980b36c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
policy/modules/services/container.te
View File

@ -163,7 +163,7 @@ corenet_port(container_port_t)
#
allow container_domain self:capability { dac_override kill setgid setuid sys_boot sys_chroot };
allow container_domain self:cap_userns { chown dac_override fowner setgid setuid };
allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid };
allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms };
allow container_domain self:fifo_file manage_fifo_file_perms;
allow container_domain self:sem create_sem_perms;
@ -302,7 +302,7 @@ optional_policy(`
#
allow container_net_domain self:capability { net_admin net_raw };
allow container_net_domain self:cap_userns { net_admin net_raw };
allow container_net_domain self:cap_userns { net_admin net_bind_service net_raw };
allow container_net_domain self:tcp_socket create_stream_socket_perms;
allow container_net_domain self:udp_socket create_socket_perms;
allow container_net_domain self:tun_socket create_socket_perms;