From cf5b35795bca74002f863ea8fc5bb50a6d49ebec Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 23 Dec 2021 09:54:00 -0500
Subject: [PATCH] staff, unconfined: allow container user access

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/staff.te       | 4 ++++
 policy/modules/system/unconfined.te | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2701b0446..af069f0ad 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -23,6 +23,10 @@ optional_policy(`
 	auditadm_role_change(staff_r)
 ')
 
+optional_policy(`
+	container_user_role(staff, staff_t, staff_application_exec_domain, staff_r)
+')
+
 optional_policy(`
 	dbadm_role_change(staff_r)
 ')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index ca614a92e..8ecc6f731 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -80,6 +80,10 @@ optional_policy(`
 	bootloader_run(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+	container_user_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
+')
+
 optional_policy(`
 	cron_unconfined_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')