diff --git a/container.te b/container.te index 12e9cf5..4b9a72d 100644 --- a/container.te +++ b/container.te @@ -751,7 +751,7 @@ tunable_policy(`container_connect_any',` # # spc local policy # -allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint; +allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; role system_r types spc_t; domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) @@ -884,7 +884,7 @@ container_manage_files_template(container, container) typeattribute container_file_t container_file_type, user_home_type; typeattribute container_t container_domain, container_net_domain, container_user_domain; allow container_user_domain self:process getattr; -allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint; +allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint; allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms; allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map }; allow container_domain container_runtime_t:unix_dgram_socket sendto;