container, kubernetes: add private type for generic container devices

/dev/termination-log is one such generic file created in containers'
/dev filesystems. Add a private type for objects created in /dev for
containers instead of using the generic device type.

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/services/container.if

@@ -856,6 +856,89 @@ interface(`container_signal_all_containers',`
 	allow $1 container_domain:process signal_perms;
 ')
 
+########################################
+## <summary>
+##	Create objects in /dev with an automatic
+##	transition to the container device type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_dev_filetrans',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	dev_filetrans($1, container_device_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Read and write container device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_device_files',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage container device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_device_files',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Mount on all container devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_mounton_all_devices',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:dir_file_class_set mounton;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of container ptys.

policy/modules/services/container.te

@@ -158,6 +158,10 @@ optional_policy(`
 	kubernetes_mountpoint(container_log_t)
 ')
 
+# generic devices created in container /dev filesystems
+type container_device_t;
+dev_node(container_device_t)
+
 type container_devpts_t;
 term_pty(container_devpts_t)
 
@@ -289,6 +293,7 @@ miscfiles_read_fonts(container_domain)
 
 mta_dontaudit_read_spool_symlinks(container_domain)
 
+container_rw_device_files(container_domain)
 container_use_container_ptys(container_domain)
 
 tunable_policy(`container_manage_cgroup',`

policy/modules/services/kubernetes.te

@@ -91,6 +91,11 @@ kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain)
 
 iptables_getattr_runtime_files(kubernetes_container_engine_domain)
 
+# for /dev/termination-log and maybe other device types
+container_dev_filetrans(kubernetes_container_engine_domain, file)
+container_manage_device_files(kubernetes_container_engine_domain)
+container_mounton_all_devices(kubernetes_container_engine_domain)
+
 container_use_container_ptys(kubernetes_container_engine_domain)
 
 container_exec_plugins(kubernetes_container_engine_domain)