diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 638723e2d..f1d1853c0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -620,6 +620,10 @@ ifdef(`init_systemd',` kubernetes_read_config(init_t) ') + optional_policy(` + locallogin_use_pidfds(init_t) + ') + optional_policy(` # var-lib-nfs-rpc_pipefs.mount creates /var/lib/nfs/rpc_pipefs # if it does not exist diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if index 3c558ed3b..296963788 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -57,6 +57,24 @@ interface(`locallogin_use_fds',` allow $1 local_login_t:fd use; ') +######################################## +## +## Use PIDFDs from local login. +## +## +## +## Domain allowed access. +## +## +# +interface(`locallogin_use_pidfds',` + gen_require(` + type local_login_t; + ') + + allow $1 local_login_t:fd use; +') + ######################################## ## ## Do not audit attempts to inherit local login file descriptors.