selinux-policy: allow trusted_s to mutate cache_t files

In order for the snapshotter configuration service to be able to clean
up snapshotter state directories via "find", processes given trusted_s
must be allowed to mutate files that are cache_t, which is given to
containerd's state directory.

Signed-off-by: Gavin Inglis <[email protected]>

Author: ginglis13

packages/selinux-policy/rules.cil

@@ -251,7 +251,7 @@
 (allow api_s private_t (files (mutate)))
 (allow clock_s measure_t (files (mutate)))
 (allow network_s lease_t (files (mutate)))
-(allow runtime_s cache_t (files (mutate)))
+(allow trusted_s cache_t (files (mutate)))
 
 ; Other components should not be permitted to modify these files,
 ; or to manage mounts for these directories.