Allow container domains to use container_runtime_tmpfs_t as an entryp…

…oint Signed-off-by: Daniel J Walsh <[email protected]>
containers · Oct 10, 2023 · 2d64985 · 2d64985
1 parent 7da05b8
commit 2d64985
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/container.te b/container.te
@@ -751,7 +751,7 @@ tunable_policy(`container_connect_any',`
 #
 # spc local policy
 #
-allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint;
+allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
 role system_r types spc_t;
 
 domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
@@ -884,7 +884,7 @@ container_manage_files_template(container, container)
 typeattribute container_file_t container_file_type, user_home_type;
 typeattribute container_t container_domain, container_net_domain, container_user_domain;
 allow container_user_domain self:process getattr;
-allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
+allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
 allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
 allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
 allow container_domain container_runtime_t:unix_dgram_socket sendto;