container: allow system container engines to mmap runtime files

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-06 16:38:43 -04:00 · 2024-05-06 16:38:43 -04:00 · 7876e51510
parent d917092a81
commit 7876e51510
1 changed files with 1 additions and 1 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain, container_var_lib_t, container
 filetrans_pattern(container_engine_system_domain, container_var_lib_t, container_file_t, dir, "volumes")

 allow container_engine_system_domain container_runtime_t:dir { manage_dir_perms relabel_dir_perms watch };
-allow container_engine_system_domain container_runtime_t:file { manage_file_perms relabel_file_perms watch };
+allow container_engine_system_domain container_runtime_t:file { mmap_manage_file_perms relabel_file_perms watch };
 allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };