container: allow container admins the sysadm capability in user
namespaces Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
810cc48197
commit
22ece2b57e
@ -2518,7 +2518,7 @@ interface(`container_admin',`
|
||||
allow $1 container_engine_domain:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, container_engine_domain)
|
||||
|
||||
allow $1 self:cap_userns { kill sys_ptrace };
|
||||
allow $1 self:cap_userns { kill sys_ptrace sys_admin };
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, container_var_lib_t)
|
||||
|
Loading…
Reference in New Issue
Block a user