container: add tunable for reading generic certs

There are cases where one may want to mount certs on the host into a container. Add a tunable to allow containers to read them. Signed-off-by: Kenton Groombridge <[email protected]>
SELinuxProject · Aug 9, 2024 · 7c6e094 · 7c6e094
1 parent 9f37f86
commit 7c6e094
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
@@ -30,6 +30,13 @@ gen_tunable(container_manage_public_content, false)
 ## </desc>
 gen_tunable(container_read_public_content, false)
 
+## <desc>
+##	<p>
+##	Allow containers to read generic certs.
+##	</p>
+## </desc>
+gen_tunable(container_read_generic_certs, false)
+
 ## <desc>
 ##	<p>
 ##	Allow super privileged containers to create NFS servers.
@@ -405,6 +412,10 @@ tunable_policy(`container_read_public_content',`
 	miscfiles_watch_public_dirs(container_domain)
 ')
 
+tunable_policy(`container_read_generic_certs',`
+	miscfiles_read_generic_certs(container_domain)
+')
+
 tunable_policy(`container_use_dri',`
 	dev_rw_dri(container_domain)
 ')