Skip to content

Commit

Permalink
Allow runc to access setattr on the fifo_file
Browse files Browse the repository at this point in the history 
It was initially done in f6c7f41 but
the access on unconfined_service_t is missing as well.

See containers/podman#1980 (comment)

Closes containers/podman#1980
  • Loading branch information
@EmilienM
EmilienM committed Dec 11, 2018
1 parent 99e2cfd commit ae6e25b
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 3 deletions.
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.75
2.76
5 changes: 3 additions & 2 deletions container.te
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.75.0)
policy_module(container, 2.76.0)
gen_require(`
class passwd rootok;
')
Expand Down Expand Up @@ -515,8 +515,9 @@ optional_policy(`
optional_policy(`
unconfined_domain(container_runtime_t)
unconfined_run_to(container_runtime_t, container_runtime_exec_t)
role_transition unconfined_r container_runtime_exec_t system_r;
role_transition unconfined_r unconfined_service_t container_runtime_exec_t system_r;
allow container_runtime_t unconfined_t:fifo_file setattr;
allow container_runtime_t unconfined_service_t:fifo_file setattr;
')

optional_policy(`
Expand Down

0 comments on commit ae6e25b

Please sign in to comment.