module my-kube-apiserver 1.0; require { type container_var_lib_t; type rke2_service_t; class file watch; } #============= rke2_service_t ============== allow rke2_service_t container_var_lib_t:file watch;