containers · lsm5 · Jul 14, 2025 · Jul 14, 2025 · gemini-code-assist · Jul 14, 2025
diff --git a/container.te b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.239.0)
+policy_module(container, 2.240.0)
 
 gen_require(`
 	class passwd rootok;
@@ -60,6 +60,13 @@ gen_tunable(container_use_dri_devices, true)
 ## </desc>
 gen_tunable(container_manage_cgroup, false)
 
+## <desc>
+## <p>
+## Allow containers to manipulate SELinux labels
+## </p>
+## </desc>
+gen_tunable(container_modify_selinux_labels, false)
+
 ## <desc>
 ##  <p>
 ##  Determine whether container can
@@ -577,6 +584,10 @@ userdom_use_user_ptys(container_runtime_domain)
 userdom_connectto_stream(container_runtime_domain)
 allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };
 
+tunable_policy(`container_modify_selinux_labels',`
+	allow container_domain self:process { setexec setfscreate};
+')
+
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(container_runtime_domain)
 	fs_manage_nfs_files(container_runtime_domain)
@@ -936,7 +947,7 @@ allow container_domain self:netlink_xfrm_socket create_socket_perms;
 allow container_domain self:packet_socket create_socket_perms;
 allow container_domain self:passwd rootok;
 allow container_domain self:peer recv;
-allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
+allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop};
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
 allow container_domain self:socket create_socket_perms;