This repository has been archived by the owner on May 30, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sec-policy/selinux-base-policy: add capability to unlabeled_t
with this patch, we allow `unlabeled_t` to associate to tmpfs filesystem. It aims to solve the AVC we have with `torcx` with the `torcx-generator`: ``` Nov 15 09:45:43 localhost audit[688]: AVC avc: denied { associate } for pid=688 comm="torcx-generator" name="docker" dev="tmpfs" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 ``` It has been not been caught earlier because it occurs when the system boots with `SELinux` in `enforcing` mode. This denial was preventing torcx to finish correctly its setup and so Docker was not able to start. Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
- Loading branch information