container: allow reading generic certs

There are cases where one may want to mount certs on the host into a container. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
author: Kenton Groombridge <concord@gentoo.org> 2024-08-09 10:35:43 -0400
committer: Jason Zaman <perfinion@gentoo.org> 2024-09-21 15:28:29 -0700
commit: d3f848f176741b7a2df860ec4ffba055e5bcc5e6 (patch)
tree: 4ec92454330bb5c10c1293dfd05e615e8ef65a72
parent: testing: add container_kvm_t to net admin exempt list (diff)
download: hardened-refpolicy-d3f848f176741b7a2df860ec4ffba055e5bcc5e6.tar.gz
hardened-refpolicy-d3f848f176741b7a2df860ec4ffba055e5bcc5e6.tar.bz2
hardened-refpolicy-d3f848f176741b7a2df860ec4ffba055e5bcc5e6.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index e9f59e51..8fcd88e1 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -389,6 +389,7 @@ libs_dontaudit_setattr_lib_files(container_domain)
 miscfiles_read_localization(container_domain)
 miscfiles_dontaudit_setattr_fonts_cache_dirs(container_domain)
 miscfiles_read_fonts(container_domain)
+miscfiles_read_generic_certs(container_domain)
 
 mta_dontaudit_read_spool_symlinks(container_domain)
author	Kenton Groombridge <concord@gentoo.org>	2024-08-09 10:35:43 -0400
committer	Jason Zaman <perfinion@gentoo.org>	2024-09-21 15:28:29 -0700
commit	d3f848f176741b7a2df860ec4ffba055e5bcc5e6 (patch)
tree	4ec92454330bb5c10c1293dfd05e615e8ef65a72
parent	testing: add container_kvm_t to net admin exempt list (diff)
download	hardened-refpolicy-d3f848f176741b7a2df860ec4ffba055e5bcc5e6.tar.gz hardened-refpolicy-d3f848f176741b7a2df860ec4ffba055e5bcc5e6.tar.bz2 hardened-refpolicy-d3f848f176741b7a2df860ec4ffba055e5bcc5e6.zip