crio, kubernetes: allow k8s admins to run CRI-O

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/services/crio.if

@@ -1 +1,80 @@
 ## <summary>policy for cri-o</summary>
+
+#######################################
+## <summary>
+##	Execute CRI-O in the crio domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`crio_domtrans',`
+	gen_require(`
+		type crio_t, crio_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, crio_exec_t, crio_t)
+')
+
+########################################
+## <summary>
+##	Execute CRI-O in the crio domain,
+##	and allow the specified role the
+##	kubelet domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the crio domain.
+##	</summary>
+## </param>
+#
+interface(`crio_run',`
+	gen_require(`
+		type crio_t;
+	')
+
+	role $2 types crio_t;
+
+	crio_domtrans($1)
+')
+
+#######################################
+## <summary>
+##  All of the rules required to administrate
+##  a CRI-O environment.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+## <rolecap/>
+#
+interface(`crio_admin',`
+	gen_require(`
+		type crio_t;
+		type crio_conmon_t;
+	')
+
+	allow $1 crio_t:process { ptrace signal_perms };
+	ps_process_pattern($1, crio_t)
+
+	allow $1 crio_conmon_t:process { ptrace signal_perms };
+	ps_process_pattern($1, crio_conmon_t)
+
+	# no private type for crictl, so connect directly
+	container_stream_connect_system_engine($1)
+')

policy/modules/services/kubernetes.if

@@ -382,4 +382,8 @@ interface(`kubernetes_admin',`
 
 	logging_search_logs($1)
 	admin_pattern($1, kubernetes_log_t)
+
+	optional_policy(`
+		crio_admin($1, $2)
+	')
 ')