From 2d8dd15732026a03ba72257dbf84d06f13e3af3f Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Mon, 3 Mar 2025 11:30:35 +0100 Subject: [PATCH] Selinux: Allow qm_t to mmap qm_file_t char devices This allows qm apps to mmap /dev/zero which is a common operation, and should be safe. Fixes: https://github.com/containers/qm/issues/741 --- qm.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qm.if b/qm.if index c903c417..477c7d81 100644 --- a/qm.if +++ b/qm.if @@ -93,7 +93,7 @@ template(`qm_domain_template',` manage_lnk_files_pattern($1_t, $1_file_type, $1_file_type) manage_sock_files_pattern($1_t, $1_file_type, $1_file_type) fs_tmpfs_filetrans($1_t, $1_file_t, { dir file lnk_file }) - allow $1_t $1_file_type:chr_file { watch watch_reads }; + allow $1_t $1_file_type:chr_file { watch watch_reads map }; allow $1_t $1_file_type:dir { mounton relabelfrom relabelto }; allow $1_t $1_file_type:filesystem all_filesystem_perms;