Add container_logwriter_t policy type

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
containers · Oct 28, 2022 · 7fafd46 · 7fafd46
1 parent cfc7e10
commit 7fafd46
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/container.te b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.190.1)
+policy_module(container, 2.191.0)
 
 gen_require(`
 	class passwd rootok;
@@ -1140,12 +1140,14 @@ allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
 logging_read_audit_log(container_logreader_t)
 logging_list_logs(container_logreader_t)
 
-tunable_policy(`virt_sandbox_use_all_caps',`
-	allow container_logreader_t self:capability ~{ sys_module };
-	allow container_logreader_t self:capability2 ~{ mac_override mac_admin };
-	allow container_logreader_t self:cap_userns ~{ sys_module };
-	allow container_logreader_t self:cap2_userns ~{ mac_override mac_admin };
-')
+# Container Logwriter
+container_domain_template(container_logwriter)
+typeattribute container_logwriter_t container_net_domain;
+logging_read_all_logs(container_logwriter_t)
+manage_files_pattern(container_logwriter_t, logfile, logfile)
+manage_dirs_pattern(container_logwriter_t, logfile, logfile)
+manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
+logging_manage_audit_log(container_logwriter_t)
 
 optional_policy(`
 	gen_require(`