Selinux: Allow qm_t to mmap qm_file_t char devices

This allows qm apps to mmap /dev/zero which is a common operation, and should be safe. Fixes: #741 Signed-off-by: Alexander Larsson <[email protected]>
containers · Mar 4, 2025 · 05cfa40 · 05cfa40
1 parent c95f521
commit 05cfa40
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/qm.if b/qm.if
@@ -93,7 +93,7 @@ template(`qm_domain_template',`
 	manage_lnk_files_pattern($1_t, $1_file_type, $1_file_type)
 	manage_sock_files_pattern($1_t, $1_file_type, $1_file_type)
 	fs_tmpfs_filetrans($1_t, $1_file_t, { dir file lnk_file })
-	allow $1_t $1_file_type:chr_file { watch watch_reads };
+	allow $1_t $1_file_type:chr_file { watch watch_reads map };
 	allow $1_t $1_file_type:dir { mounton relabelfrom relabelto };
 	allow $1_t $1_file_type:filesystem all_filesystem_perms;