From 9ea8e26504e918cab8cde383ed2cfed5944bf780 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 16 Apr 2023 20:07:40 -0500
Subject: [PATCH] selinux: Allow passing tty devices to containers

The default SELinux policy does not allow passing generic USB devices
and unallocated TTYs to containers.  This prevents the Zigbee and ZWave
USB dongles from being usable by their respective container processes.
---
 .../sec-policy/selinux-aimee-os/files/aimee-os.te    | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
index abe887b..b029dec 100644
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -257,3 +257,15 @@ optional_policy(`
 	allow podman_t devlog_t:sock_file mounton;
 	logging_send_syslog_msg(container_t)
 ')
+
+# Allow podman to mount tty devices in containers
+optional_policy(`
+	gen_require(`
+		type container_t, kernel_t;
+		type tty_device_t;
+	')
+	term_use_unallocated_ttys(container_t)
+	container_mountpoint(tty_device_t)
+	dev_rw_generic_usb_dev(kernel_t)
+	dev_setattr_generic_usb_dev(kernel_t)
+')