From 8322747d4eed82f2b64ca2738ff5ea21c2823eb4 Mon Sep 17 00:00:00 2001
From: Cathy Hu <cathy.hu@suse.com>
Date: Tue, 23 Jun 2026 14:46:38 +0200
Subject: [PATCH] Allow spc_t execstack and execmem (bsc#1268490)

This commit moved spc_t out of the container_domain:
"Tighten controls on confined users"
https://github.com/containers/container-selinux/commit/236104789358a0c54576d2b742d45735c7402506

The container_domain lists execmem and execstack explicitly:
https://github.com/containers/container-selinux/blob/f786136f58c4e1b7568f30463a44b050d0d84325/container.te#L1127

Now it is in unconfined_domain:
https://github.com/containers/container-selinux/blob/f786136f58c4e1b7568f30463a44b050d0d84325/container.te#L852C2-L852C27

execmem and execstack are allowed for unconfined_domain in
fedora, but not openSUSE.
Since containers (especially java application containers) need those
pretty often, lets allow that explicitly for spc_t again.

Signed-off-by: Cathy Hu <cathy.hu@suse.com>
---
 container.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/container.te b/container.te
index 51fe0c4..70c895f 100644
--- a/container.te
+++ b/container.te
@@ -805,6 +805,7 @@ tunable_policy(`container_connect_any',`
 # spc local policy
 #
 allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
+allow spc_t self:process { execstack execmem };
 role system_r types spc_t;
 dontaudit spc_t self:memprotect mmap_zero;