From 99971b5f507ad58711873ed2fd7c9cf4c1314e23 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 29 Mar 2023 18:41:54 -0500
Subject: [PATCH] SELinux: Allow Podman to mount /dev/log

These SELinux policy rules allow containers to log directly to
syslog/the systemd journal via the `/dev/log` socket.  To enable this,
simply mount the socket into a container's mount namespace, e.g. `-v
/dev/log:/dev/log`.
---
 .../sec-policy/selinux-aimee-os/files/aimee-os.te      | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
index 23f47a5..abe887b 100644
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -247,3 +247,13 @@ optional_policy(`
 	files_relabel_non_security_dirs(podman_t)
 	files_relabel_non_security_files(podman_t)
 ')
+
+# Allow podman to mount /dev/log in containers
+optional_policy(`
+	gen_require(`
+		type podman_t, container_t;
+		type devlog_t;
+	')
+	allow podman_t devlog_t:sock_file mounton;
+	logging_send_syslog_msg(container_t)
+')