From 7876e515103f9e13b861132bb26c72e0a2821159 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Mon, 6 May 2024 16:38:43 -0400
Subject: [PATCH] container: allow system container engines to mmap runtime
 files

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/container.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 096d6c23d..9699ac36d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain, container_var_lib_t, container
 filetrans_pattern(container_engine_system_domain, container_var_lib_t, container_file_t, dir, "volumes")
 
 allow container_engine_system_domain container_runtime_t:dir { manage_dir_perms relabel_dir_perms watch };
-allow container_engine_system_domain container_runtime_t:file { manage_file_perms relabel_file_perms watch };
+allow container_engine_system_domain container_runtime_t:file { mmap_manage_file_perms relabel_file_perms watch };
 allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };