3 files changed, 23 insertions, 0 deletions

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index e91cd18f..e9f59e51 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1071,6 +1071,9 @@ dev_dontaudit_relabelto_generic_blk_files(spc_t)
 dev_getattr_kvm_dev(spc_t)
 dev_getattr_vhost_dev(spc_t)
 dev_watch_dev_dirs(spc_t)
+# for DV upload in kubevirt over rook-ceph
+dev_unmount_fs(spc_t)
+dev_remount_fs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index de14a7b6..2af5b64b 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -379,6 +379,25 @@ interface(`kubernetes_run_engine_bpf',`
 
 ########################################
 ## <summary>
+##	Read and write FIFO files from
+##	kubernetes container engines.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_rw_container_engine_fifo_files',`
+	gen_require(`
+		attribute kubernetes_container_engine_domain;
+	')
+
+	allow $1 kubernetes_container_engine_domain:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
 ##	Search kubernetes config directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 787cdae3..38b3a545 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -258,6 +258,7 @@ corecmd_exec_bin(kubelet_t)
 corecmd_watch_bin_dirs(kubelet_t)
 
 dev_getattr_mtrr_dev(kubelet_t)
+dev_getattr_generic_blk_files(kubelet_t)
 dev_read_kmsg(kubelet_t)
 dev_read_sysfs(kubelet_t)