diff --git a/container.te b/container.te
index 5dd3d02..a47929c 100644
--- a/container.te
+++ b/container.te
@@ -83,6 +83,22 @@ gen_tunable(container_use_cephfs, false)
 ## </desc>
 gen_tunable(container_use_ecryptfs, false)
 
+## <desc>
+##  <p>
+##  Allow containers to read shared public files
+##  (public_content_t & public_content_rw_t)
+##  </p>
+## </desc>
+gen_tunable(container_read_public_content, false)
+
+## <desc>
+##  <p>
+##  Allow containers to read and write shared public
+##  files (public_content_rw_t)
+##  </p>
+## </desc>
+gen_tunable(container_manage_public_content, false)
+
 attribute container_runtime_domain;
 container_runtime_domain_template(container_runtime)
 typealias container_runtime_t alias docker_t;
@@ -1452,6 +1468,14 @@ tunable_policy(`virt_sandbox_use_sys_admin',`
 	allow container_init_t self:cap_userns sys_admin;
 ')
 
+tunable_policy(`container_read_public_content',`
+	miscfiles_read_public_files(container_domain)
+')
+
+tunable_policy(`container_manage_public_content',`
+	miscfiles_manage_public_files(container_domain)
+')
+
 allow container_init_domain self:netlink_audit_socket nlmsg_relay;
 
 # container_engine_t is for running a container engine within a container
diff --git a/container_selinux.8 b/container_selinux.8
index 5f9ee64..d8807d8 100644
--- a/container_selinux.8
+++ b/container_selinux.8
@@ -87,6 +87,22 @@ If you want to allow sandbox containers to use sys_admin system calls, for examp
 
 .EE
 
+.PP
+If you want to allow containers to read shared public files (public_content_t and public_content_rw_t), set the container_read_public_content boolean. Disabled by default.
+
+.EX
+.B setsebool -P container_read_public_content 1
+
+.EE
+
+.PP
+If you want to allow containers to read and write shared public files (public_content_rw_t), set the container_manage_public_content boolean. Disabled by default.
+
+.EX
+.B setsebool -P container_manage_public_content 1
+
+.EE
+
 .SH PORT TYPES
 SELinux defines port types to represent TCP and UDP ports.
 .PP
@@ -461,4 +477,4 @@ This manual page was auto-generated using
 .B "sepolicy manpage".
 
 .SH "SEE ALSO"
-selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8)
\ No newline at end of file
+selinux(8), container(8), semanage(8), restorecon(8), chcon(1), sepolicy(8), setsebool(8), container_auth_selinux(8), container_auth_selinux(8), container_device_selinux(8), container_device_selinux(8), container_device_plugin_selinux(8), container_device_plugin_selinux(8), container_device_plugin_init_selinux(8), container_device_plugin_init_selinux(8), container_engine_selinux(8), container_engine_selinux(8), container_init_selinux(8), container_init_selinux(8), container_kvm_selinux(8), container_kvm_selinux(8), container_logreader_selinux(8), container_logreader_selinux(8), container_logwriter_selinux(8), container_logwriter_selinux(8), container_runtime_selinux(8), container_runtime_selinux(8), container_user_selinux(8), container_user_selinux(8), container_userns_selinux(8), container_userns_selinux(8)