From 0a82f954824289b46190004014946ddcf71b3af2 Mon Sep 17 00:00:00 2001
From: Sohan Kunkerkar <sohank2602@gmail.com>
Date: Sat, 30 Aug 2025 14:46:32 -0400
Subject: [PATCH] Allow container access to runtime directories for crun masked
 path optimization

Problem: crun PR #1859 (https://github.com/containers/crun/pull/1859) optimizes
masked paths by using a shared empty directory instead of individual tmpfs mounts.
However, containers cannot access this shared directory due to SELinux policy:

  avc: denied { read } for name=".empty-directory"
  scontext=container_t:s0:c139,c767 tcontext=container_var_run_t:s0
Without this policy, the optimization falls back to individual tmpfs
mounts, negating the performance benefits.

Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
---
 container.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/container.te b/container.te
index d425e24..ae18c4b 100644
--- a/container.te
+++ b/container.te
@@ -1348,6 +1348,9 @@ allow container_domain init_t:unix_stream_socket { accept ioctl read getattr loc
 
 allow container_t proc_t:filesystem remount;
 
+# Allow containers to access shared runtime directories for OCI runtime optimizations
+allow container_t container_var_run_t:dir { read open };
+
 # Container kvm - Policy for running kata containers
 container_domain_template(container_kvm, container)
 typeattribute container_kvm_t container_net_domain, container_user_domain;