From 6574975a82c4cc8f3349991a9f9dcb82684c60d0 Mon Sep 17 00:00:00 2001
From: Ryan Cook <rcook@redhat.com>
Date: Wed, 6 Oct 2021 09:02:36 -0400
Subject: [PATCH 1/2] fix of tmpfs selinux permissions

---
 selinux/microshift.fc |  1 -
 selinux/microshift.te | 19 +++++++------------
 2 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/selinux/microshift.fc b/selinux/microshift.fc
index c888fada79..47a66a5c6c 100644
--- a/selinux/microshift.fc
+++ b/selinux/microshift.fc
@@ -2,5 +2,4 @@
 /var/run/secrets/kubernetes.io/serviceaccount(/.*)?				gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
 /var/lib/microshift/certs/ca-bundle(/.*)?                                       gen_context(system_u:object_r:container_file_t,s0)
 /usr/local/bin/microshift                                                  --	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/bin/microshift                                                        --	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /var/hpvolumes(/.*)?            						gen_context(system_u:object_r:container_file_t,s0)
diff --git a/selinux/microshift.te b/selinux/microshift.te
index eb80d52ec1..6f45690d56 100644
--- a/selinux/microshift.te
+++ b/selinux/microshift.te
@@ -1,27 +1,22 @@
 policy_module(microshift, 1.0.0)
 
-gen_require(`
-    type container_runtime_t, container_var_lib_t, container_runtime_exec_t, init_t;
-    class bpf prog_run;
-')
-filetrans_pattern(container_runtime_t, container_var_lib_t, container_runtime_exec_t, dir, "data")
-
-allow container_runtime_t init_t:bpf prog_run;
-
 gen_require(`
     type container_runtime_t, var_lib_t, container_var_lib_t, container_runtime_tmpfs_t, container_t;
     class file { open read };
 ')
 filetrans_pattern(container_runtime_t, var_lib_t, container_var_lib_t, dir, "kubelet")
 
-allow container_t container_var_lib_t:file open;
-allow container_t container_runtime_tmpfs_t:file read;
+allow container_t container_runtime_tmpfs_t:file read_file_perms;
+allow container_t container_runtime_tmpfs_t:lnk_file read_file_perms;
 allow container_t container_runtime_tmpfs_t:file open;
+allow container_t container_runtime_tmpfs_t:file read;
+allow container_t container_var_lib_t:file open;
+allow container_t container_var_lib_t:file read;
 
 gen_require(`
     type container_runtime_t, container_var_lib_t, container_file_t, container_t, container_runtime_tmpfs_t;
     class file read;
 ')
 filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "pods")
-allow container_t container_var_lib_t:file read;
-allow container_t container_var_lib_t:lnk_file read;
+
+fs_tmpfs_filetrans(container_runtime_t, container_runtime_tmpfs_t, { lnk_file})

From 70ad3828a07d29b4549a4a8e2702a04bb6981d26 Mon Sep 17 00:00:00 2001
From: Ryan Cook <rcook@redhat.com>
Date: Wed, 6 Oct 2021 09:42:41 -0400
Subject: [PATCH 2/2] rolling item back in

---
 selinux/microshift.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/selinux/microshift.fc b/selinux/microshift.fc
index 47a66a5c6c..c888fada79 100644
--- a/selinux/microshift.fc
+++ b/selinux/microshift.fc
@@ -2,4 +2,5 @@
 /var/run/secrets/kubernetes.io/serviceaccount(/.*)?				gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
 /var/lib/microshift/certs/ca-bundle(/.*)?                                       gen_context(system_u:object_r:container_file_t,s0)
 /usr/local/bin/microshift                                                  --	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/bin/microshift                                                        --	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /var/hpvolumes(/.*)?            						gen_context(system_u:object_r:container_file_t,s0)