container: Allow container engines to connect to http cache ports.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>

policy/modules/kernel/files.if

@@ -5040,6 +5040,25 @@ interface(`files_purge_tmp',`
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all tmpfs files.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_all_tmpfs_files',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	getattr_files_pattern($1, tmpfsfile, tmpfsfile)
+	fs_search_tmpfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of the /usr directory.

policy/modules/services/container.te

@@ -415,6 +415,7 @@ corecmd_dontaudit_exec_all_executables(container_engine_domain)
 
 corenet_tcp_bind_generic_node(container_engine_domain)
 corenet_tcp_connect_http_port(container_engine_domain)
+corenet_tcp_connect_http_cache_port(container_engine_domain)
 corenet_tcp_bind_all_ports(container_engine_domain)
 corenet_udp_bind_all_ports(container_engine_domain)
 corenet_rw_tun_tap_dev(container_engine_domain)

policy/modules/system/systemd.te

@@ -818,6 +818,9 @@ dev_setattr_video_dev(systemd_logind_t)
 domain_obj_id_change_exemption(systemd_logind_t)
 
 files_search_runtime(systemd_logind_t)
+# Getattr all shm segments as part of cleaning up the
+# segments of deleted ephemeral users.
+files_getattr_all_tmpfs_files(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
 fs_getattr_tmpfs(systemd_logind_t)