container: allow spc various rules for kubevirt

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

2 files changed, 29 insertions, 2 deletions

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 6bea5ccf9..085bd30f0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5467,6 +5467,24 @@ interface(`dev_relabelfrom_vfio_dev',`
 
 ############################
 ## <summary>
+##	Get the attributes of the vhost devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_vhost_dev',`
+	gen_require(`
+		type device_t, vhost_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
+############################
+## <summary>
 ##	Allow read/write the vhost devices
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index cc700c038..2353092e4 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -978,7 +978,7 @@ allow spc_t self:process { getcap setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
-allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid ipc_lock mknod net_admin net_raw setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow spc_t self:key manage_key_perms;
@@ -1004,14 +1004,19 @@ allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
 allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
 # for rook-ceph
 allow spc_t container_engine_tmpfs_t:blk_file rw_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_engine_tmpfs_t:chr_file { relabelfrom setattr };
 
 # for kubernetes storage class providers
 allow spc_t container_file_t:{ dir file } mounton;
 allow spc_t container_file_t:dir_file_class_set relabel_blk_file_perms;
 # for rook-ceph
 allow spc_t container_file_t:blk_file manage_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_file_t:chr_file setattr;
+allow spc_t container_file_t:filesystem unmount;
 
-allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
+allow spc_t container_runtime_t:dir { manage_dir_perms mounton watch };
 allow spc_t container_runtime_t:file manage_file_perms;
 allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
 
@@ -1034,6 +1039,10 @@ dev_filetrans(spc_t, container_device_t, blk_file)
 dev_dontaudit_getattr_all_chr_files(spc_t)
 dev_dontaudit_setattr_generic_symlinks(spc_t)
 dev_dontaudit_relabelto_generic_blk_files(spc_t)
+# for multus and kubevirt
+dev_getattr_kvm_dev(spc_t)
+dev_getattr_vhost_dev(spc_t)
+dev_watch_dev_dirs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)