container: add tunable to allow spc to use tun-tap devices

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/services/container.te

@@ -37,6 +37,13 @@ gen_tunable(container_read_public_content, false)
 ## </desc>
 gen_tunable(container_spc_create_nfs_servers, false)
 
+## <desc>
+##	<p>
+##	Allow super privileged containers to use tun-tap devices.
+##	</p>
+## </desc>
+gen_tunable(container_spc_use_tun_tap_dev, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use direct rendering devices.
@@ -918,6 +925,10 @@ ifdef(`init_systemd',`
 	init_run_bpf(spc_t)
 ')
 
+tunable_policy(`container_spc_use_tun_tap_dev',`
+	corenet_rw_tun_tap_dev(spc_t)
+')
+
 optional_policy(`
 	tunable_policy(`container_spc_create_nfs_servers',`
 		fs_mount_nfsd_fs(spc_t)