From 22ece2b57e70d7534b2bd6e9004d06529fbb01d5 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Dec 2022 10:49:39 -0500
Subject: [PATCH] container: allow container admins the sysadm capability in
 user namespaces

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 55f8e4f3d..8fd3832fb 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -2518,7 +2518,7 @@ interface(`container_admin',`
 	allow $1 container_engine_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, container_engine_domain)
 
-	allow $1 self:cap_userns { kill sys_ptrace };
+	allow $1 self:cap_userns { kill sys_ptrace sys_admin };
 
 	files_search_var_lib($1)
 	admin_pattern($1, container_var_lib_t)