[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Jason Zaman Sat, 03 Sep 2022 12:10:24 -0700

commit:     cd84d1468359c3bbf0c2c482a1474a9ebd18e3b3
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr  2 19:55:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd84d146


container, podman: allow podman to restart container units

podman auto-update will automatically start the container unit when it
is updated.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 20 ++++++++++++++++++++
 policy/modules/services/podman.te    |  4 ++++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/services/container.if 
b/policy/modules/services/container.if
index 541eb8a5..07ef8873 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1382,6 +1382,26 @@ interface(`container_unlabeled_var_lib_filetrans',`
        kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##     Allow the specified domain to start
+##     systemd units for containers.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`container_start_units',`
+       gen_require(`
+               type container_unit_t;
+               class service start;
+       ')
+
+       allow $1 container_unit_t:service start;
+')
+
 ########################################
 ## <summary>
 ##     All of the rules required to

diff --git a/policy/modules/services/podman.te 
b/policy/modules/services/podman.te
index 3169c0da..12c67145 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -77,6 +77,10 @@ ifdef(`init_systemd',`
        systemd_list_journal_dirs(podman_t)
        systemd_read_journal_files(podman_t)
        systemd_watch_journal_dirs(podman_t)
+
+       # podman auto-update will restart the unit for
+       # the container when it is updated
+       container_start_units(podman_t)
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Reply via email to