From db2ec494449768d7b1ccfe354f63961acad521da Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 11 Mar 2022 00:07:56 -0500
Subject: [PATCH] container, podman: allow podman to create and write config
 files

Podman 4.0 now creates the CNI network config files if they do not
exist.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.if | 38 ++++++++++++++++++++++++++++
 policy/modules/services/podman.te    |  4 +++
 2 files changed, 42 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index e9217f639..bf5ecfb5d 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -738,6 +738,44 @@ interface(`container_mountpoint',`
 	typeattribute $1 container_mountpoint_type;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	create container config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_config_files',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	create_files_pattern($1, container_config_t, container_config_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	write container config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_write_config_files',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	write_files_pattern($1, container_config_t, container_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index dfb8e5da1..5df45d32d 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -39,6 +39,10 @@ allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_p
 
 container_engine_executable_entrypoint(podman_t)
 
+# podman 4.0.0 now creates OCI networking configs
+container_create_config_files(podman_t)
+container_write_config_files(podman_t)
+
 domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
 
 logging_send_syslog_msg(podman_t)