selinux/passt.te: Allow setcap on the process itself

This is needed by the new functions in isolate.c, add the
corresponding rule.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2023-02-21 18:06:05 +00:00
parent 01801b131f
commit 7d9150db0a

View file

@ -90,6 +90,7 @@ allow passt_t user_devpts_t:chr_file { getattr read write ioctl };
logging_send_syslog_msg(passt_t) logging_send_syslog_msg(passt_t)
allow syslogd_t self:cap_userns sys_ptrace; allow syslogd_t self:cap_userns sys_ptrace;
allow passt_t self:process setcap;
allow passt_t self:capability { sys_tty_config setpcap net_bind_service }; allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };