crio: allow reading container home content

CRI-O will read container registry configuration data from the running
user's home (root) and will abort if unable to do so.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

policy/modules/services/container.if

@@ -1591,6 +1591,26 @@ interface(`container_getattr_all_ro_files',`
 	allow $1 container_ro_file_t:dir_file_class_set getattr;
 ')
 
+########################################
+## <summary>
+##	Read container config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_home_config',`
+	gen_require(`
+		type container_conf_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	xdg_search_config_dirs($1)
+	read_files_pattern($1, container_conf_home_t, container_conf_home_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to

policy/modules/services/crio.te

@@ -45,8 +45,8 @@ iptables_mounton_runtime_files(crio_t)
 
 miscfiles_mounton_generic_cert_dirs(crio_t)
 
-# tries to search for /root/.config/containers/registries.conf
-xdg_dontaudit_search_config_dirs(crio_t)
+# reads registries in the running user's home
+container_read_home_config(crio_t)
 
 container_watch_config_dirs(crio_t)