commit: cd84d1468359c3bbf0c2c482a1474a9ebd18e3b3
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr 2 19:55:24 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 18:41:55 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd84d146
container, podman: allow podman to restart container units
podman auto-update will automatically start the container unit when it
is updated.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/container.if | 20 ++++++++++++++++++++
policy/modules/services/podman.te | 4 ++++
2 files changed, 24 insertions(+)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index 541eb8a5..07ef8873 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1382,6 +1382,26 @@ interface(`container_unlabeled_var_lib_filetrans',`
kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
')
+########################################
+## <summary>
+## Allow the specified domain to start
+## systemd units for containers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_start_units',`
+ gen_require(`
+ type container_unit_t;
+ class service start;
+ ')
+
+ allow $1 container_unit_t:service start;
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/services/podman.te
b/policy/modules/services/podman.te
index 3169c0da..12c67145 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -77,6 +77,10 @@ ifdef(`init_systemd',`
systemd_list_journal_dirs(podman_t)
systemd_read_journal_files(podman_t)
systemd_watch_journal_dirs(podman_t)
+
+ # podman auto-update will restart the unit for
+ # the container when it is updated
+ container_start_units(podman_t)
')
########################################