From 6894aaa796cc0f737a8ac705d49d9d9c5d265143 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 24 Feb 2023 20:46:36 -0500
Subject: [PATCH] container: fixes for podman run --log-driver=passthrough

The --log-driver=passthrough argument is used by default for units
generated by quadlet. Without this access, containers started through
systemd in this way will not be able to send logs to the journal.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index c788faaae..5de421fc3 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -304,6 +304,9 @@ clock_read_adjtime(container_domain)
 
 init_read_utmp(container_domain)
 init_dontaudit_write_utmp(container_domain)
+# for podman run --log-driver=passthrough
+init_rw_stream_sockets(container_domain)
+init_use_fds(container_domain)
 
 libs_dontaudit_setattr_lib_files(container_domain)