kubernetes: allow container engines to mount on DRI devices if enabled

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

2 files changed, 22 insertions, 0 deletions

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a2d55ded..d1536573 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2067,6 +2067,24 @@ interface(`dev_manage_dri_dev',`
 
 ########################################
 ## <summary>
+##	Mount on the dri devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton_dri_dev',`
+	gen_require(`
+		type dri_device_t;
+	')
+
+	allow $1 dri_device_t:chr_file mounton;
+')
+
+########################################
+## <summary>
 ##	Automatic type transition to the type
 ##	for DRI device nodes when created in /dev.
 ## </summary>
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 8a13be60..a10ec550 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -147,6 +147,10 @@ tunable_policy(`container_read_public_content',`
 	miscfiles_mounton_all_public_files(kubernetes_container_engine_domain)
 ')
 
+tunable_policy(`container_use_dri',`
+	dev_mounton_dri_dev(kubernetes_container_engine_domain)
+')
+
 tunable_policy(`container_use_nfs',`
 	fs_getattr_nfs(kubernetes_container_engine_domain)
 	fs_remount_nfs(kubernetes_container_engine_domain)