containers · zpytela · Dec 11, 2025
diff --git a/container.if b/container.if
@@ -416,6 +416,25 @@ interface(`container_read_pid_files',`
 	read_files_pattern($1, container_var_run_t, container_var_run_t)
 ')
 
+########################################
+## <summary>
+##	Write container PID fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_write_pid_fifo_files',`
+	gen_require(`
+		type container_var_run_t;
+	')
+
+	files_search_pids($1)
+	write_fifo_files_pattern($1, container_var_run_t, container_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute container server in the container domain.

diff --git a/container.te b/container.te
@@ -321,7 +321,7 @@ manage_fifo_files_pattern(container_runtime_domain, container_var_run_t, contain
 manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
 files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
-files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
+files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir fifo_file file lnk_file sock_file })
 allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;
 
 allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };