From 1c1ac28586b8e10e8543c81a46b8235a760ce43b Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Mon, 14 Jul 2025 12:10:09 -0400
Subject: [PATCH] Don't allow containers by default setexec setfscreate

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 container.te | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/container.te b/container.te
index 533f978..9e20607 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.239.0)
+policy_module(container, 2.240.0)
 
 gen_require(`
 	class passwd rootok;
@@ -60,6 +60,13 @@ gen_tunable(container_use_dri_devices, true)
 ## </desc>
 gen_tunable(container_manage_cgroup, false)
 
+## <desc>
+## <p>
+## Allow containers to manipulate SELinux labels
+## </p>
+## </desc>
+gen_tunable(container_modify_selinux_labels, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether container can
@@ -577,6 +584,10 @@ userdom_use_user_ptys(container_runtime_domain)
 userdom_connectto_stream(container_runtime_domain)
 allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };
 
+tunable_policy(`container_modify_selinux_labels',`
+	allow container_domain self:process { setexec setfscreate};
+')
+
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(container_runtime_domain)
 	fs_manage_nfs_files(container_runtime_domain)
@@ -936,7 +947,7 @@ allow container_domain self:netlink_xfrm_socket create_socket_perms;
 allow container_domain self:packet_socket create_socket_perms;
 allow container_domain self:passwd rootok;
 allow container_domain self:peer recv;
-allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
+allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop};
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
 allow container_domain self:socket create_socket_perms;