From b9093fd208798504efda4e940be11086ed31ea86 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Thu, 27 Feb 2020 10:31:20 +0100
Subject: [PATCH] Allow containers to access /dev/kvm

---
 VerityBook.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/VerityBook.te b/VerityBook.te
index 92c8cbb..d10a1b0 100644
--- a/VerityBook.te
+++ b/VerityBook.te
@@ -34,6 +34,8 @@ require {
 	type user_home_dir_t;
         type chkpwd_t;
 	type xdm_var_lib_t;
+        type container_t;
+        type kvm_device_t;
 	class sock_file { create write };
 	class file { create getattr map open read relabelfrom relabelto rename setattr unlink write };
 	class process { dyntransition setcurrent };
@@ -43,8 +45,13 @@ require {
 	class dbus send_msg;
 	class sock_file { read write };
 	class lnk_file { getattr read };
+        class chr_file { getattr ioctl open read write };
 }
 
+#============= container_t ==============
+allow container_t kvm_device_t:chr_file getattr;
+allow container_t kvm_device_t:chr_file { ioctl open read write };
+
 #============= NetworkManager_t ==============
 allow NetworkManager_t iscsi_unit_file_t:service { reload status };