container: allow containers to read read-only container files

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-12-31 14:04:16 -05:00 · 2021-12-31 14:04:16 -05:00 · 4aca3bab15
commit 4aca3bab15
parent e272db844c
1 changed files with 7 additions and 0 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -137,6 +137,13 @@ rw_chr_files_pattern(container_domain, container_file_t, container_file_t)
 rw_blk_files_pattern(container_domain, container_file_t, container_file_t)
 allow container_domain container_file_t:dir_file_class_set watch;

+allow container_domain container_ro_file_t:blk_file read_blk_file_perms;
+allow container_domain container_ro_file_t:dir list_dir_perms;
+allow container_domain container_ro_file_t:chr_file read_chr_file_perms;
+allow container_domain container_ro_file_t:file { exec_file_perms read_file_perms };
+allow container_domain container_ro_file_t:lnk_file read_lnk_file_perms;
+allow container_domain container_ro_file_t:sock_file read_sock_file_perms;
+
 can_exec(container_domain, container_file_t)

 kernel_getattr_proc(container_domain)