container: allow containers the chroot capability

Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-01-06 20:09:20 -05:00 · 2022-01-06 20:09:20 -05:00 · d098ffc59d
commit d098ffc59d
parent cec7f0d3e2
1 changed files with 1 additions and 1 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -108,7 +108,7 @@ corenet_port(container_port_t)
 # Common container domain local policy
 #

-allow container_domain self:capability { dac_override kill setgid setuid sys_boot };
+allow container_domain self:capability { dac_override kill setgid setuid sys_boot sys_chroot };
 allow container_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
 allow container_domain self:fifo_file manage_fifo_file_perms;
 allow container_domain self:sem create_sem_perms;