From b084fe82dad10c849dec28a67c79f773ddc2c2a3 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Thu, 27 Aug 2020 17:21:13 +0000 Subject: [PATCH] selinux-policy: allow docker-init transition `docker-init` has the `runtime_exec_t` label, rather than one of the labels that signify local content, but it's still a valid entrypoint to the container domains. Signed-off-by: Ben Cressey --- packages/selinux-policy/rules.cil | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil index eee1d023efb..c0e5fed8cbd 100644 --- a/packages/selinux-policy/rules.cil +++ b/packages/selinux-policy/rules.cil @@ -65,6 +65,10 @@ (allow container_s cache_t (file (entrypoint))) (allow container_s state_t (file (entrypoint))) +; Also allow entry to container domains through `docker-init`, which +; is mounted from the root filesystem and used as the init process. +(allow container_s runtime_exec_t (file (entrypoint))) + ; Allow containers to communicate with runtimes via pipes. (allow container_s runtime_t (files (mutate)))