podman: allow managing init runtime units

Containers created via quadlet become runtime units. Podman auto-update can still restart these, but it needs the appropriate access. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
author: Kenton Groombridge <concord@gentoo.org> 2024-08-07 16:43:28 -0400
committer: Jason Zaman <perfinion@gentoo.org> 2024-09-21 15:28:29 -0700
commit: 7fda3e7d49d9b66f13d1fe937cb74aeeacc2ab10 (patch)
tree: 0704579cdc71fc1e14096a6b93a37262b40be915
parent: iptables: allow reading usr files (diff)
download: hardened-refpolicy-7fda3e7d49d9b66f13d1fe937cb74aeeacc2ab10.tar.gz
hardened-refpolicy-7fda3e7d49d9b66f13d1fe937cb74aeeacc2ab10.tar.bz2
hardened-refpolicy-7fda3e7d49d9b66f13d1fe937cb74aeeacc2ab10.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 78f8fc086..54eeda28d 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -93,6 +93,12 @@ ifdef(`init_systemd',`
 	# podman auto-update will restart the unit for
 	# the container when it is updated
 	container_start_units(podman_t)
+
+	# podman auto-update can restart containers created
+	# via quadlet as well, which are runtime units
+	init_get_runtime_units_status(podman_t)
+	init_start_runtime_units(podman_t)
+	init_stop_runtime_units(podman_t)
 ')
 
 ########################################
author	Kenton Groombridge <concord@gentoo.org>	2024-08-07 16:43:28 -0400
committer	Jason Zaman <perfinion@gentoo.org>	2024-09-21 15:28:29 -0700
commit	7fda3e7d49d9b66f13d1fe937cb74aeeacc2ab10 (patch)
tree	0704579cdc71fc1e14096a6b93a37262b40be915
parent	iptables: allow reading usr files (diff)
download	hardened-refpolicy-7fda3e7d49d9b66f13d1fe937cb74aeeacc2ab10.tar.gz hardened-refpolicy-7fda3e7d49d9b66f13d1fe937cb74aeeacc2ab10.tar.bz2 hardened-refpolicy-7fda3e7d49d9b66f13d1fe937cb74aeeacc2ab10.zip