Merge pull request #229 from rhatdan/dbus

Allow daemon to send dbus messages to spc_t
containers · Apr 22, 2023 · 53e7362 · 53e7362
2 parents f4f8294 + 3a34da7
commit 53e7362
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 3 deletions.
diff --git a/container.if b/container.if
@@ -997,7 +997,6 @@ interface(`container_kubelet_domtrans',`
 interface(`container_kubelet_run',`
 	gen_require(`
 		type kubelet_t;
-		class dbus send_msg;
 	')
 
 	container_kubelet_domtrans($1)

diff --git a/container.te b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.210.0)
+policy_module(container, 2.211.0)
 
 gen_require(`
 	class passwd rootok;
@@ -731,6 +731,7 @@ optional_policy(`
 	# This should eventually be in upstream policy.
 	# https://github.com/fedora-selinux/selinux-policy/pull/806
 	allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
+	allow daemon spc_t:dbus send_msg;
 ')
 
 optional_policy(`
@@ -999,7 +1000,6 @@ allow container_net_domain self:rawip_socket create_stream_socket_perms;
 allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
 allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;
 
-
 kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
 kernel_unlabeled_entry_type(spc_t)
 allow container_runtime_domain unlabeled_t:key manage_key_perms;