container: allow container admins the sysadm capability in user

namespaces Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-12-07 10:49:39 -05:00 · 2022-12-07 10:49:39 -05:00 · 22ece2b57e
commit 22ece2b57e
parent 810cc48197
1 changed files with 1 additions and 1 deletions
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@ -2518,7 +2518,7 @@ interface(`container_admin',`
 	allow $1 container_engine_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, container_engine_domain)

-	allow $1 self:cap_userns { kill sys_ptrace };
+	allow $1 self:cap_userns { kill sys_ptrace sys_admin };

 	files_search_var_lib($1)
 	admin_pattern($1, container_var_lib_t)