Container: Minor fixes from interactive container use.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>

3 files changed, 29 insertions, 1 deletions

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5b6b185a..e529b187 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1018,6 +1018,25 @@ interface(`fs_watch_cgroup_files',`
 
 ########################################
 ## <summary>
+##     Read cgroup symlnks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cgroup_symlinks',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##     Create cgroup lnk_files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 39c07aec..5024f302 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -100,6 +100,10 @@ neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~{ getattr mou
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 
 optional_policy(`
+	container_mountpoint(proc_kcore_t)
+')
+
+optional_policy(`
 	init_mountpoint(proc_kcore_t)
 ')
 
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 0b798993..096d6c23 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -606,6 +606,9 @@ allow container_engine_domain self:icmp_socket create_socket_perms;
 allow container_engine_domain self:netlink_route_socket create_netlink_socket_perms;
 allow container_engine_domain self:packet_socket create_socket_perms;
 
+allow container_engine_domain container_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(container_engine_domain, container_devpts_t)
+
 allow container_engine_domain container_port_t:tcp_socket name_bind;
 
 dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh };
@@ -670,6 +673,7 @@ fs_mount_xattr_fs(container_engine_domain)
 fs_remount_xattr_fs(container_engine_domain)
 fs_unmount_xattr_fs(container_engine_domain)
 fs_relabelfrom_xattr_fs(container_engine_domain)
+fs_get_xattr_fs_quotas(container_engine_domain)
 
 fs_getattr_cgroup(container_engine_domain)
 fs_manage_cgroup_dirs(container_engine_domain)
@@ -678,6 +682,7 @@ fs_watch_cgroup_files(container_engine_domain)
 fs_mount_cgroup(container_engine_domain)
 fs_remount_cgroup(container_engine_domain)
 fs_mounton_cgroup(container_engine_domain)
+fs_read_cgroup_symlinks(container_engine_domain)
 
 fs_getattr_fusefs(container_engine_domain)
 fs_remount_fusefs(container_engine_domain)
@@ -692,6 +697,7 @@ kernel_read_network_state(container_engine_domain)
 kernel_read_system_state(container_engine_domain)
 kernel_rw_net_sysctls(container_engine_domain)
 kernel_dontaudit_search_kernel_sysctl(container_engine_domain)
+kernel_getattr_core_if(container_engine_domain)
 
 selinux_get_fs_mount(container_engine_domain)
 selinux_mount_fs(container_engine_domain)
@@ -700,7 +706,6 @@ selinux_unmount_fs(container_engine_domain)
 seutil_read_config(container_engine_domain)
 seutil_read_default_contexts(container_engine_domain)
 
-term_create_pty(container_engine_domain, container_devpts_t)
 term_mount_devpts(container_engine_domain)
 term_relabel_pty_fs(container_engine_domain)