Container: Minor fixes from interactive container use.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>

policy/modules/kernel/filesystem.if

@@ -1016,6 +1016,25 @@ interface(`fs_watch_cgroup_files',`
 	allow $1 cgroup_types:file watch;
 ')
 
+########################################
+## <summary>
+##     Read cgroup symlnks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cgroup_symlinks',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##     Create cgroup lnk_files.

policy/modules/kernel/kernel.te

@@ -99,6 +99,10 @@ type proc_kcore_t, proc_type;
 neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~{ getattr mounton };
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 
+optional_policy(`
+	container_mountpoint(proc_kcore_t)
+')
+
 optional_policy(`
 	init_mountpoint(proc_kcore_t)
 ')

policy/modules/services/container.te

@@ -606,6 +606,9 @@ allow container_engine_domain self:icmp_socket create_socket_perms;
 allow container_engine_domain self:netlink_route_socket create_netlink_socket_perms;
 allow container_engine_domain self:packet_socket create_socket_perms;
 
+allow container_engine_domain container_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(container_engine_domain, container_devpts_t)
+
 allow container_engine_domain container_port_t:tcp_socket name_bind;
 
 dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh };
@@ -670,6 +673,7 @@ fs_mount_xattr_fs(container_engine_domain)
 fs_remount_xattr_fs(container_engine_domain)
 fs_unmount_xattr_fs(container_engine_domain)
 fs_relabelfrom_xattr_fs(container_engine_domain)
+fs_get_xattr_fs_quotas(container_engine_domain)
 
 fs_getattr_cgroup(container_engine_domain)
 fs_manage_cgroup_dirs(container_engine_domain)
@@ -678,6 +682,7 @@ fs_watch_cgroup_files(container_engine_domain)
 fs_mount_cgroup(container_engine_domain)
 fs_remount_cgroup(container_engine_domain)
 fs_mounton_cgroup(container_engine_domain)
+fs_read_cgroup_symlinks(container_engine_domain)
 
 fs_getattr_fusefs(container_engine_domain)
 fs_remount_fusefs(container_engine_domain)
@@ -692,6 +697,7 @@ kernel_read_network_state(container_engine_domain)
 kernel_read_system_state(container_engine_domain)
 kernel_rw_net_sysctls(container_engine_domain)
 kernel_dontaudit_search_kernel_sysctl(container_engine_domain)
+kernel_getattr_core_if(container_engine_domain)
 
 selinux_get_fs_mount(container_engine_domain)
 selinux_mount_fs(container_engine_domain)
@@ -700,7 +706,6 @@ selinux_unmount_fs(container_engine_domain)
 seutil_read_config(container_engine_domain)
 seutil_read_default_contexts(container_engine_domain)
 
-term_create_pty(container_engine_domain, container_devpts_t)
 term_mount_devpts(container_engine_domain)
 term_relabel_pty_fs(container_engine_domain)