From 9e769d3e8ea5f6e2b9e8de1a99c020be9e670b0e Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 30 Mar 2021 15:03:26 -0400
Subject: [PATCH] Allow unconfined domains to talk to unlabled sockets

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 container.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/container.te b/container.te
index b2c8407..1fda477 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.159.0)
+policy_module(container, 2.160.0)
 gen_require(`
 	class passwd rootok;
 ')
@@ -648,6 +648,7 @@ allow container_runtime_domain spc_t:process { setsched signal_perms };
 ps_process_pattern(container_runtime_domain, spc_t)
 allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
 allow spc_t unlabeled_t:key manage_key_perms;
+allow spc_t unlabeled_t:socket_class_set create_socket_perms;
 
 init_dbus_chat(spc_t)