container, kubernetes: add supporting rules for kubevirt and multus

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

3 files changed, 50 insertions, 0 deletions

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index ceb9de817..c9f4aa934 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1210,6 +1210,25 @@ interface(`container_watch_config_dirs',`
 ########################################
 ## <summary>
 ##	Allow the specified domain to
+##	create container config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_config_dirs',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	create_dirs_pattern($1, container_config_t, container_config_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
 ##	create container config files.
 ## </summary>
 ## <param name="domain">
@@ -1611,6 +1630,26 @@ interface(`container_list_ro_dirs',`
 ## <summary>
 ##	Allow the specified domain to get
 ##	the attributes of all read-only
+##	container file character devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_getattr_all_ro_chr_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+	allow $1 container_ro_file_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to get
+##	the attributes of all read-only
 ##	container file objects.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 66b16e4e4..cc700c038 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -224,6 +224,9 @@ container_mountpoint(container_runtime_t)
 type container_tmpfs_t;
 files_tmpfs_file(container_tmpfs_t)
 
+type container_tmp_t;
+files_tmp_file(container_tmp_t)
+
 type container_log_t;
 logging_log_file(container_log_t)
 optional_policy(`
@@ -1093,6 +1096,7 @@ container_manage_config_files(spc_t)
 container_list_plugin_dirs(spc_t)
 container_manage_plugin_files(spc_t)
 
+container_create_config_dirs(spc_t)
 container_create_config_files(spc_t)
 container_rw_config_files(spc_t)
 
@@ -1104,6 +1108,11 @@ container_manage_var_lib_dirs(spc_t)
 container_manage_var_lib_files(spc_t)
 container_map_var_lib_files(spc_t)
 
+manage_dirs_pattern(spc_t, container_tmp_t, container_tmp_t)
+manage_files_pattern(spc_t, container_tmp_t, container_tmp_t)
+files_tmp_filetrans(spc_t, container_tmp_t, { dir file })
+
+files_runtime_filetrans(spc_t, container_runtime_t, dir)
 # for cilium
 allow spc_t container_config_t:dir watch;
 allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms;
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 95d5f9f42..787cdae30 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -82,6 +82,7 @@ corenet_tcp_connect_all_ports(kubernetes_container_engine_domain)
 dev_create_generic_blk_files(kubernetes_container_engine_domain)
 
 files_getattr_kernel_modules(kubernetes_container_engine_domain)
+files_mounton_runtime_dirs(kubernetes_container_engine_domain)
 # for replicated storage that may be mounted in /mnt
 files_search_mnt(kubernetes_container_engine_domain)
 
@@ -411,6 +412,7 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
 # for metrics and accounting
 container_getattr_all_files(kubelet_t)
 container_getattr_all_ro_files(kubelet_t)
+container_getattr_all_ro_chr_files(kubelet_t)
 container_getattr_all_var_lib_files(kubelet_t)
 
 ifdef(`init_systemd',`