nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

container: add tunable to allow spc to use tun-tap devices

Browse Source 
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-10-10 12:13:17 -04:00
parent d9314aeb24
commit c7a0cc0cd2
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
policy/modules/services/container.te
View File

@ -37,6 +37,13 @@ gen_tunable(container_read_public_content, false)
## </desc> ## </desc>
gen_tunable(container_spc_create_nfs_servers, false) gen_tunable(container_spc_create_nfs_servers, false)
## <desc>
## <p>
## Allow super privileged containers to use tun-tap devices.
## </p>
## </desc>
gen_tunable(container_spc_use_tun_tap_dev, false)
## <desc> ## <desc>
## <p> ## <p>
## Allow containers to use direct rendering devices. ## Allow containers to use direct rendering devices.
@ -918,6 +925,10 @@ ifdef(`init_systemd',`
init_run_bpf(spc_t) init_run_bpf(spc_t)
') ')
tunable_policy(`container_spc_use_tun_tap_dev',`
corenet_rw_tun_tap_dev(spc_t)
')
optional_policy(` optional_policy(`
tunable_policy(`container_spc_create_nfs_servers',` tunable_policy(`container_spc_create_nfs_servers',`
fs_mount_nfsd_fs(spc_t) fs_mount_nfsd_fs(spc_t)