From e72ff1a01cf695f5e70e0e31e40bd227da2d282b Mon Sep 17 00:00:00 2001
From: Qiyu Yan <yanqiyu01@gmail.com>
Date: Sun, 12 May 2024 12:29:23 +0100
Subject: [PATCH] Allow jellyfin to map/execute tmpfs_t

---
 cils/container_jellyfin.cil | 9 +++++++++
 server.yaml                 | 1 +
 2 files changed, 10 insertions(+)
 create mode 100644 cils/container_jellyfin.cil

diff --git a/cils/container_jellyfin.cil b/cils/container_jellyfin.cil
new file mode 100644
index 0000000..7fe8bb4
--- /dev/null
+++ b/cils/container_jellyfin.cil
@@ -0,0 +1,9 @@
+(block container_jellyfin
+    (blockinherit container)
+    (blockinherit net_container)
+
+    (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) 
+    (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) 
+
+    (allow process tmpfs_t (file (execute map)))
+)
diff --git a/server.yaml b/server.yaml
index 9ca19d4..1bda118 100644
--- a/server.yaml
+++ b/server.yaml
@@ -265,6 +265,7 @@ add-files:
       "/etc/cils/container_rwhome_allbind.cil",
     ],
     ["cils/container_wireguard.cil", "/etc/cils/container_wireguard.cil"],
+    ["cils/container_jellyfin.cil", "/etc/cils/container_jellyfin.cil"],
     ["etc/containers/containers.conf", "/etc/containers/containers.conf"],
     ["etc/containers/storage.conf", "/etc/containers/storage.conf"],
     [