container_device.te

# Copyright 2022 Intel Corporation. All Rights Reserved.

# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

policy_module(container_device, 1.0)

gen_require(`
        type container_file_t;
        type device_t;
        type kubernetes_file_t;
        type device_node;
')

# Standard container which needs to be allowed to use any device
container_domain_template(container_device)
allow container_device_t device_node:chr_file rw_chr_file_perms;

# Standard container which needs to be allowed to use any device and
# communicate with kublet
container_domain_template(container_device_plugin)
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
allow container_device_plugin_t container_runtime_t:unix_stream_socket connectto;

# Standard container which needs to be allowed to use any device and
# modify kublet configuration
container_domain_template(container_device_plugin_init)
manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)