From e1092cd2cb0891de02a70447e6e68adbf6e15c8c Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 5 May 2021 10:48:55 -0400
Subject: [PATCH] Add label for kublet to run as a container_runtime_t

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 container.fc | 3 +++
 container.te | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/container.fc b/container.fc
index c0e008d..d918a68 100644
--- a/container.fc
+++ b/container.fc
@@ -5,6 +5,8 @@
 /usr/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubelet.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
@@ -85,6 +87,7 @@
 /var/lib/origin(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
 
+/var/lib/kublet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
 /var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
diff --git a/container.te b/container.te
index aa792d4..01bbb15 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.161.0)
+policy_module(container, 2.161.1)
 gen_require(`
 	class passwd rootok;
 ')