From f35f68d647803f41aea22cb759f82d15afe6fbfe Mon Sep 17 00:00:00 2001
From: Lokesh Mandvekar <lsm5@redhat.com>
Date: Wed, 17 Dec 2025 14:25:35 -0500
Subject: [PATCH] Allow TUN/TAP device access for container_engine_t

OCP clusters upgraded from 4.17/4.18 to 4.20 get AVC denials for pasta
operations in nested container mode.

Fixes: RHEL-131796

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
---
 container.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/container.te b/container.te
index 4b1cfb9..9f46ace 100644
--- a/container.te
+++ b/container.te
@@ -1500,6 +1500,8 @@ kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
 term_mount_pty_fs(container_engine_t)
 term_use_generic_ptys(container_engine_t)
 
+corenet_rw_tun_tap_dev(container_engine_t)
+
 allow container_engine_t container_file_t:chr_file mounton;
 allow container_engine_t filesystem_type:{dir file} mounton;
 allow container_engine_t proc_kcore_t:file mounton;