crio: allow reading container home content

CRI-O will read container registry configuration data from the running
user's home (root) and will abort if unable to do so.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

2 files changed, 22 insertions, 2 deletions

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 18b27f19b..268ebec46 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1593,6 +1593,26 @@ interface(`container_getattr_all_ro_files',`
 
 ########################################
 ## <summary>
+##	Read container config home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_home_config',`
+	gen_require(`
+		type container_conf_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	xdg_search_config_dirs($1)
+	read_files_pattern($1, container_conf_home_t, container_conf_home_t)
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to
 ##	manage container config home content.
 ## </summary>
diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
index 8ac9e9fdb..3dd616f7a 100644
--- a/policy/modules/services/crio.te
+++ b/policy/modules/services/crio.te
@@ -45,8 +45,8 @@ iptables_mounton_runtime_files(crio_t)
 
 miscfiles_mounton_generic_cert_dirs(crio_t)
 
-# tries to search for /root/.config/containers/registries.conf
-xdg_dontaudit_search_config_dirs(crio_t)
+# reads registries in the running user's home
+container_read_home_config(crio_t)
 
 container_watch_config_dirs(crio_t)