Policy lacks mechanism to share content between containerized & non-containerized services

[ipilcher]

Consider the case where a system is sharing files between multiple services (e.g. an Apache web server and a Jellyfin media server) by labeling the files as public_content_t or public_content_rw_t. Now imagine that the system administrator wishes to migrate one of the services from a "normal" installation (RPM, DEB, etc.) into a container.

From what I can tell, there is currently no simple way for that system administrator to give the newly containerized service access to the shared content.

This can be added trivially.

policy_module(container-public-content, 0)

require {
        type container_t;
};

bool container_read_public_content false;
if container_read_public_content {
        miscfiles_read_public_files(container_t)
}

bool container_manage_public_content false;
if container_manage_public_content {
        miscfiles_manage_public_files(container_t)
}

I'd be happy to create a PR if there's interest in this.

[lsm5]

Hi @ipilcher, makes sense to me. PR would be great.

@rhatdan @haircommander wdyt?