systemd: Allow user namespace creation.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
This commit is contained in:
Chris PeBenito 2023-03-02 16:00:13 -05:00
parent de41a207b9
commit e1a6199384
2 changed files with 3 additions and 0 deletions

View File

@ -271,6 +271,7 @@ ifdef(`init_systemd',`
allow init_t self:capability2 audit_read;
allow init_t self:key { search setattr write };
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
allow init_t self:user_namespace create;
dontaudit init_t self:process { dyntransition setcurrent };
# manage the capabilities granted to namespace processes

View File

@ -429,6 +429,7 @@ ifdef(`enable_mls',`
allow systemd_coredump_t self:capability { setgid setuid setpcap sys_ptrace };
allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace };
allow systemd_coredump_t self:process { getcap setcap setfscreate };
allow systemd_coredump_t self:user_namespace create;
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
allow systemd_coredump_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow systemd_coredump_t self:fifo_file rw_inherited_fifo_file_perms;
@ -1179,6 +1180,7 @@ miscfiles_read_localization(systemd_notify_t)
allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:user_namespace create;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;