kubernetes: allow container engines to mount on DRI devices if enabled

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
SELinuxProject · Dec 19, 2023 · 7f8059e · 7f8059e
1 parent 759de96
commit 7f8059e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
@@ -2065,6 +2065,24 @@ interface(`dev_manage_dri_dev',`
 	allow $1 dri_device_t:chr_file map;
 ')
 
+########################################
+## <summary>
+##	Mount on the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton_dri_dev',`
+	gen_require(`
+		type dri_device_t;
+	')
+
+	allow $1 dri_device_t:chr_file mounton;
+')
+
 ########################################
 ## <summary>
 ##	Automatic type transition to the type

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
@@ -147,6 +147,10 @@ tunable_policy(`container_read_public_content',`
 	miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
 ')
 
+tunable_policy(`container_use_dri',`
+	dev_mounton_dri_dev(kubernetes_container_engine_domain)
+')
+
 tunable_policy(`container_use_nfs',`
 	fs_getattr_nfs(kubernetes_container_engine_domain)
 	fs_remount_nfs(kubernetes_container_engine_domain)