diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index d5f79b158..3d623229e 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -248,6 +248,11 @@ tunable_policy(`container_use_samba',`
fs_exec_cifs_files(container_domain)
')
+optional_policy(`
+ podman_rw_conmon_pipes(container_domain)
+ podman_use_conmon_fds(container_domain)
+')
+
optional_policy(`
udev_read_runtime_files(container_domain)
')
diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
index 3d03884e2..7523e33de 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -188,6 +188,47 @@ interface(`podman_run_conmon_user',`
podman_domtrans_conmon_user($1)
')
+########################################
+##
+## Read and write conmon unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`podman_rw_conmon_pipes',`
+ gen_require(`
+ type podman_conmon_t;
+ type podman_conmon_user_t;
+ ')
+
+ allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
+ allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Allow the specified domain to inherit
+## file descriptors from conmon.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`podman_use_conmon_fds',`
+ gen_require(`
+ type podman_conmon_t;
+ type podman_conmon_user_t;
+ ')
+
+ allow $1 podman_conmon_t:fd use;
+ allow $1 podman_conmon_user_t:fd use;
+')
+
########################################
##
## Role access for rootless podman.