From 8fb0b01108f41a91cb555c824625ac8138a8d062 Mon Sep 17 00:00:00 2001
From: Athaariq Ardhiansyah <foss@athaariq.my.id>
Date: Thu, 28 Dec 2023 19:59:40 +0700
Subject: [PATCH] Fix denials that causes systemd to crash

The pull request fixes issue #282

Signed-off-by: Athaariq Ardhiansyah <foss@athaariq.my.id>
---
 container.te | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/container.te b/container.te
index 84d2756..6cf307b 100644
--- a/container.te
+++ b/container.te
@@ -194,6 +194,21 @@ allow container_runtime_domain self:netlink_kobject_uevent_socket create_socket_
 allow container_runtime_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
 allow container_runtime_domain self:netlink_socket create_socket_perms;
 
+# Fix issue #282 (https://github.com/containers/container-selinux/issues/282)
+optional_policy(`
+	gen_require(`
+		type init_t;
+		type shadow_t;
+		type systemd_logind_t;
+		class process siginh;
+		class capability net_admin;
+	')
+
+	allow init_t container_user_t:process siginh;
+	allow init_t shadow_t:file { open read };
+	allow systemd_logind_t self:capability net_admin;
+')
+
 corenet_tcp_bind_generic_node(container_runtime_domain)
 corenet_udp_bind_generic_node(container_runtime_domain)
 corenet_raw_bind_generic_node(container_runtime_domain)