systemd: Allow user namespace creation.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2023-03-02 16:00:13 -05:00 · 2023-03-02 16:00:13 -05:00 · e1a6199384
commit e1a6199384
parent de41a207b9
2 changed files with 3 additions and 0 deletions
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -271,6 +271,7 @@ ifdef(`init_systemd',`
 	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+	allow init_t self:user_namespace create;
 	dontaudit init_t self:process { dyntransition setcurrent };

 	# manage the capabilities granted to namespace processes
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -429,6 +429,7 @@ ifdef(`enable_mls',`
 allow systemd_coredump_t self:capability { setgid setuid setpcap sys_ptrace };
 allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace };
 allow systemd_coredump_t self:process { getcap setcap setfscreate };
+allow systemd_coredump_t self:user_namespace create;
 allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
 allow systemd_coredump_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow systemd_coredump_t self:fifo_file rw_inherited_fifo_file_perms;
@ -1179,6 +1180,7 @@ miscfiles_read_localization(systemd_notify_t)
 allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
 allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
 allow systemd_nspawn_t self:capability2 wake_alarm;
+allow systemd_nspawn_t self:user_namespace create;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
 allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;