* Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
@ 2016-04-28 13:15 Daniel J Walsh
2016-04-28 14:24 ` Dominick Grift
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Daniel J Walsh @ 2016-04-28 13:15 UTC (permalink / raw)
To: James Carter, SELinux, Stephen Smalley
[-- Attachment #1: Type: text/plain, Size: 1168 bytes --]
typebounds unconfined_t docker_t; # docker_t is an unconfined domain
typebounds docker_t spc_t; #spc_t is an unconfined domain
typeboulds docker_t docker_lxc_net_t;
docker, rkt, systemd-nspawn, runc are all executing
setexeccon(svirt_lxc_net_t)
For container domains.
Everything works fine until I turn on expand_check in semanage.conf,
which we have been asked to do in Rawhide.
Attached is the current Rawhide docker policy. And here is the output
from semodule -i before it crashes, with a segfault.
Had to add this rule to make it a little quieter, which is caused by a
rule in policy that says we allow all daemons to connecto spc_t;
gen_require(`
type unconfined_t;
attribute daemon;
')
allow daemon unconfined_t:unix_stream_socket connectto;
Why does typebounds care about when a domain is the target of an access,
I think it should only remove options when it is the source.
Otherwise we end up having to loosen the policy to make this work.
As long as docker_t does not have any more "allow docker_t" rules then
"allow unconfined_t", shouldn't this be ok?
It seems that some or the optional code blocks are causing problems also.
[-- Attachment #2: out --]
[-- Type: text/plain, Size: 115214 bytes --]
Child type docker_t exceeds bounds of parent unconfined_t
(allow docker_t daemon (unix_stream_socket (connectto)))
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1284 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1295 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1297 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1302 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 1303 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1310 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1297 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1302 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
false at line 1319 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1325 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1339 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1344 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 1345 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1346 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1356 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1363 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1365 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1381 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1392 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1394 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1406 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1408 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1467 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1472 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 1473 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1474 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1568 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1573 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 1574 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1581 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1568 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1573 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
false at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1596 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1610 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1617 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1623 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1636 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1661 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1681 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1661 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1694 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
allow at line 4508 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 16577 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16584 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 209 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 539 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 862 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 873 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 875 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
booleanif at line 880 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
true at line 881 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 888 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 875 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
booleanif at line 880 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
false at line 897 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 903 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 978 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 989 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1322 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1329 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6039 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6050 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6092 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6107 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6203 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
allow at line 1028 of /var/lib/selinux/targeted/tmp/modules/100/logging/cil
<root>
allow at line 1044 of /var/lib/selinux/targeted/tmp/modules/100/logging/cil
(allow syslog_client_type syslogd_t (unix_stream_socket (connectto)))
(allow docker_t cluster_pid (sock_file (write getattr append open)))
<root>
allow at line 8791 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 18199 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 18206 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6204 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow daemon cluster_pid (sock_file (write getattr append open)))
(allow docker_t cluster_pid (dir (getattr search open)))
<root>
allow at line 658 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
allow at line 666 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
booleanif at line 957 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 958 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 971 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1498 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1517 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 1518 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1524 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
allow at line 8788 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 515 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 523 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6205 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6216 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
false at line 6222 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6224 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow daemon cluster_var_run_t (dir (getattr search open)))
(allow docker_t ptynode (chr_file (ioctl read write getattr lock append open)))
<root>
allow at line 4437 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 8787 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 8819 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 339 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 553 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1343 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 2683 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
booleanif at line 3583 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 3584 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 3585 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
booleanif at line 3583 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 3584 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 3591 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow daemon ttynode (chr_file (ioctl read write getattr lock append open)))
(allow docker_t ttynode (chr_file (ioctl read write getattr lock append open)))
<root>
allow at line 4437 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 553 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
booleanif at line 3583 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 3584 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 3585 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
booleanif at line 3583 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 3584 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 3591 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow daemon ttynode (chr_file (ioctl read write getattr lock append open)))
(allow user_usertype docker_t (association (recvfrom)))
<root>
allow at line 5455 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5468 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1257 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2783 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2786 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
allow at line 2792 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
<root>
optional at line 1257 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2783 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2786 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
allow at line 2803 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
(allow user_usertype daemon (association (recvfrom)))
(allow nscd_t docker_t (process (getattr)))
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1297 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1302 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
false at line 1319 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1320 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1568 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1573 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
false at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1591 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 875 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
booleanif at line 880 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
false at line 897 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 898 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6092 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6112 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow nscd_t daemon (process (getattr)))
(allow docker_t staff_usertype (association (recvfrom)))
<root>
allow at line 5453 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5466 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5477 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5483 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2902 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
(allow daemon staff_usertype (association (recvfrom)))
(allow docker_t svirt_tcg_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t svirt_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t user_tty_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t uml_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t telnetd_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t sshd_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t rssh_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t rlogind_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t rhgb_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t pppd_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t openfortivpn_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t nx_server_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t kmscon_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t games_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t docker_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t cachefiles_dev_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t zero_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t xserver_misc_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t xen_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t wireless_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t watchdog_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t vmware_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t virtio_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t vhost_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t vfio_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t v4l_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t userio_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t usbtty_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t usbmon_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t usb_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t urandom_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t uhid_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t tun_tap_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t tty_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t tpm_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t tape_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t sound_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t smartcard_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t scsi_generic_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t scanner_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t removable_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t random_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t qemu_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t ptmx_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t printer_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t ppp_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t power_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t nvram_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t nvme_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t null_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t netcontrol_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t mtrr_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t mptctl_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t mouse_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t monitor_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t modem_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t misc_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t memory_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t mei_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t lvm_control_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t loop_control_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t lirc_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t kvm_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t ksm_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t kmsg_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t ipmi_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t infiniband_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t hypervvssd_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t hypervkvp_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t fuse_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t framebuf_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t fixed_disk_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t event_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t ecryptfs_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t dri_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t dlm_control_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t devtty_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t crypt_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t crash_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t cpu_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t console_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t clock_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t bsdpty_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t autofs_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t apm_bios_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t agp_device_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow docker_t device_node (sock_file (getattr)))
<root>
allow at line 8791 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 8821 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 562 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1328 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t svirt_sandbox_file_t (sock_file (write getattr append open)))
(allow docker_t ajaxterm_devpts_t (sock_file (getattr)))
<root>
allow at line 555 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t device_node (sock_file (getattr)))
(allow staff_usertype docker_t (tcp_socket (recvfrom)))
<root>
allow at line 5467 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2899 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
(allow staff_usertype daemon (tcp_socket (recvfrom)))
(allow nscd_t docker_t (dir (ioctl read lock)))
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1297 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1302 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
false at line 1319 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1323 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1568 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1573 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
false at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1594 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 875 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
booleanif at line 880 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
false at line 897 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 901 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6092 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6109 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow nscd_t daemon (dir (ioctl read getattr lock search open)))
(allow svirt_kvm_net_t docker_t (process (getattr)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1333 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (process (getattr)))
(allow svirt_qemu_net_t docker_t (process (getattr)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1333 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (process (getattr)))
(allow svirt_lxc_net_t docker_t (process (getattr)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1333 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (process (getattr)))
(allow svirt_sandbox_domain docker_t (process (getattr)))
<root>
allow at line 4534 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1333 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (process (getattr)))
(allow docker_t sysctl_net_t (lnk_file (read getattr)))
<root>
allow at line 371 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t sysctl_net_t (lnk_file (read getattr)))
(allow sysadm_t docker_t (udp_socket (recvfrom)))
<root>
optional at line 7365 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
optional at line 7631 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
allow at line 7647 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
(allow sysadm_usertype daemon (udp_socket (recvfrom)))
(allow sysadm_usertype docker_t (udp_socket (recvfrom)))
<root>
optional at line 7365 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
optional at line 7631 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
allow at line 7647 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
(allow sysadm_usertype daemon (udp_socket (recvfrom)))
(allow docker_t initrc_domain (fd (use)))
<root>
allow at line 4531 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
booleanif at line 16426 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
true at line 16427 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16428 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 2664 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
allow at line 2712 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow daemon initrc_domain (fd (use)))
(allow staff_wine_t docker_t (udp_socket (recvfrom)))
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2910 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
(allow staff_usertype daemon (udp_socket (recvfrom)))
(allow staff_t docker_t (udp_socket (recvfrom)))
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2910 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
(allow staff_usertype daemon (udp_socket (recvfrom)))
(allow staff_usertype docker_t (udp_socket (recvfrom)))
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2910 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
(allow staff_usertype daemon (udp_socket (recvfrom)))
(allow init_t docker_t (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
<root>
allow at line 2668 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
allow at line 2692 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow init_t daemon (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
(allow docker_t svirt_sandbox_domain (unix_stream_socket (connectto)))
<root>
allow at line 4508 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1329 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6203 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow daemon daemon (unix_stream_socket (connectto)))
(allow nscd_t docker_t (lnk_file (read getattr)))
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1297 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1302 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
false at line 1319 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1321 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1568 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1573 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
false at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1592 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 875 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
booleanif at line 880 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
false at line 897 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 899 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6092 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6111 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow nscd_t daemon (lnk_file (read getattr)))
(allow cluster_t docker_t (process (transition)))
<root>
allow at line 2711 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow initrc_domain daemon (process (transition)))
(allow piranha_pulse_t docker_t (process (transition)))
<root>
allow at line 2711 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow initrc_domain daemon (process (transition)))
(allow openshift_initrc_t docker_t (process (transition)))
<root>
allow at line 2711 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow initrc_domain daemon (process (transition)))
(allow kdumpctl_t docker_t (process (transition)))
<root>
allow at line 2711 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow initrc_domain daemon (process (transition)))
(allow initrc_t docker_t (process (transition)))
<root>
allow at line 2711 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow initrc_domain daemon (process (transition)))
(allow initrc_domain docker_t (process (transition)))
<root>
allow at line 2711 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow initrc_domain daemon (process (transition)))
(allow glusterd_t docker_t (process (transition)))
<root>
allow at line 2711 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow initrc_domain daemon (process (transition)))
(allow condor_startd_t docker_t (process (transition)))
<root>
allow at line 2711 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow initrc_domain daemon (process (transition)))
(allow staff_usertype docker_t (peer (recv)))
<root>
allow at line 5458 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5470 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2903 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2912 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
(allow staff_usertype daemon (peer (recv)))
(allow init_t docker_t (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
<root>
allow at line 2667 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
allow at line 2691 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow init_t daemon (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
(allow docker_t configfile (file (ioctl read getattr lock open)))
<root>
allow at line 634 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
allow at line 639 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
allow at line 665 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
allow at line 671 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
allow at line 673 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
booleanif at line 957 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 958 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 966 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
booleanif at line 957 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 958 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 972 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1408 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1425 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1498 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1517 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 1518 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1519 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1498 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
booleanif at line 1517 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
true at line 1518 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1525 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
optional at line 1230 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
optional at line 1661 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
allow at line 1686 of /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil
<root>
allow at line 4492 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 8786 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 18016 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 18022 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 221 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 389 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 416 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 522 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 528 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1000 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1030 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1310 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6236 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6239 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6240 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6241 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6236 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6239 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
false at line 6247 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6248 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow daemon cluster_conf_t (file (ioctl read getattr lock open)))
(allow docker_t initrc_domain (process (sigchld)))
<root>
allow at line 4534 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 18016 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 18019 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1354 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 2714 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
(allow daemon initrc_domain (process (sigchld)))
(allow svirt_kvm_net_t docker_t (dir (ioctl read getattr lock search open)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1330 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (dir (ioctl read getattr lock search open)))
(allow svirt_qemu_net_t docker_t (dir (ioctl read getattr lock search open)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1330 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (dir (ioctl read getattr lock search open)))
(allow svirt_lxc_net_t docker_t (dir (ioctl read getattr lock search open)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1330 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (dir (ioctl read getattr lock search open)))
(allow svirt_sandbox_domain docker_t (dir (ioctl read getattr lock search open)))
<root>
allow at line 4539 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1330 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (dir (ioctl read getattr lock search open)))
(allow staff_usertype docker_t (association (recvfrom)))
<root>
allow at line 5455 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5468 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2900 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
<root>
optional at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2891 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
optional at line 2894 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
allow at line 2911 of /var/lib/selinux/targeted/tmp/modules/100/staff/cil
(allow staff_usertype daemon (association (recvfrom)))
(allow user_usertype docker_t (tcp_socket (recvfrom)))
<root>
allow at line 5467 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1257 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2783 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2786 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
allow at line 2791 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
(allow user_usertype daemon (tcp_socket (recvfrom)))
(allow sysadm_usertype docker_t (tcp_socket (recvfrom)))
<root>
allow at line 5467 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 7365 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
optional at line 7631 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
allow at line 7636 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
(allow sysadm_usertype daemon (tcp_socket (recvfrom)))
(allow docker_t userdomain (unix_stream_socket (connectto)))
<root>
allow at line 4508 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 700 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 847 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow daemon unconfined_t (unix_stream_socket (connectto)))
(allow docker_t userdomain (lnk_file (read getattr)))
<root>
allow at line 4541 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 710 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t userdomain (lnk_file (read getattr)))
(allow docker_t non_security_file_type (dir (write setattr mounton)))
<root>
allow at line 8788 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 8817 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 13052 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 13055 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 13057 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 13097 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 16612 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16621 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 16730 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16797 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 16730 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16799 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 16730 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16801 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 16730 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16856 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 16730 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16858 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 16730 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 16860 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 17962 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 17970 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 17962 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 17971 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 17962 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 17972 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 17962 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 17973 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 17962 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 17974 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 17962 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
allow at line 17975 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 210 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 212 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 213 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 214 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 217 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 218 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 219 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 220 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 222 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 223 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 224 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 225 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 234 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 235 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 236 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 237 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 239 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 242 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 253 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 254 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 255 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 256 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 258 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 260 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 264 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 265 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 266 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 268 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 270 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 273 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 276 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 281 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 285 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 286 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 287 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 289 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 299 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 300 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 302 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 305 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 307 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 309 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 319 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 323 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 324 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 325 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 327 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 329 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 331 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 334 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 540 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 547 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 549 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 580 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 586 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 587 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 591 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 594 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 595 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 596 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 600 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 602 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 687 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 689 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 691 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 762 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1335 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1336 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1337 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1339 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1342 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1344 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1363 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
booleanif at line 3577 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 3578 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 3580 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6212 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6216 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6236 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6239 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6240 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6242 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6236 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6239 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6240 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6243 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6236 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6239 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6240 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6244 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
<root>
allow at line 274 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 282 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 285 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 288 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 291 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 294 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 297 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 300 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 303 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 306 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 309 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
allow at line 312 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1104 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1107 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1114 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1117 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1122 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1128 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1122 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1131 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1122 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1134 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1122 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1137 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1122 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1138 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1122 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1139 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1122 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1140 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1149 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1152 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1149 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1155 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1149 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1158 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1165 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1168 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1186 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1189 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1192 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1195 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1198 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1201 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1204 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1207 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1210 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1213 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1216 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1219 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1223 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1224 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1225 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1226 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1227 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1228 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1233 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1238 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1241 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1244 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1247 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1250 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1253 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1256 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1259 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1262 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1265 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1268 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1273 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1278 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1283 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1288 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1293 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1298 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1173 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1303 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1346 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1349 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1354 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1358 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1354 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1361 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1354 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1364 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1371 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1374 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1371 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1377 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1388 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1389 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1392 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1395 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1398 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1401 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1404 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1407 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1410 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1413 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1416 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1419 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1422 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1425 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1428 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1431 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1434 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1437 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1440 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1443 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1446 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1449 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1452 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1455 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1482 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1485 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1383 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1482 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1490 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1499 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1503 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1499 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1506 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1499 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1509 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1499 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1512 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1499 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1515 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1499 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1518 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1499 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1521 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1532 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1535 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1532 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1538 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1532 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1541 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1532 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1547 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1550 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1558 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1561 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1558 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1564 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1558 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1567 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1558 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1570 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1558 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1574 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1558 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1576 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1558 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1578 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1558 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1580 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1596 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1598 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1599 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1602 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1590 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1606 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1624 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1625 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1626 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1627 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1628 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1631 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1640 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1645 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1640 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1650 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1640 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1655 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1640 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1660 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1640 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1665 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1613 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1640 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1671 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1685 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1688 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1685 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1691 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1685 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1696 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1699 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1707 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1710 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1719 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1722 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1725 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1729 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1735 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1729 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1740 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1729 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1745 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1729 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1750 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1729 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1755 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1715 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1729 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1761 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1784 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1787 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1790 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1793 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1796 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1799 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1802 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1805 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1808 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1811 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1814 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1817 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1820 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1823 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1826 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1829 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1832 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1835 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1838 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1841 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1844 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1847 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1850 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1853 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1856 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1859 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1862 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1865 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1868 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1871 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1872 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1874 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1876 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1878 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1880 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1882 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1884 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1886 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1888 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1890 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1892 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1894 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1896 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1898 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1900 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1902 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1904 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1906 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1908 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1910 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1912 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1914 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1916 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1918 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1920 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1922 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1924 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1926 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1985 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 1989 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
<root>
optional at line 1775 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
optional at line 1997 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
allow at line 2000 of /var/lib/selinux/targeted/tmp/modules/100/userdomain/cil
(allow userdom_filetrans_type cache_home_t (dir (ioctl read write getattr lock add_name remove_name search open)))
(allow docker_t user_usertype (association (recvfrom)))
<root>
allow at line 5453 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5466 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5477 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5483 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1257 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2783 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2786 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
allow at line 2794 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
(allow daemon user_usertype (association (recvfrom)))
(allow docker_t userdomain (dir (getattr search open)))
<root>
allow at line 4539 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 707 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
<root>
allow at line 709 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow docker_t userdomain (dir (getattr search open)))
(allow svirt_kvm_net_t docker_t (lnk_file (read getattr)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1332 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (lnk_file (read getattr)))
(allow svirt_qemu_net_t docker_t (lnk_file (read getattr)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1332 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (lnk_file (read getattr)))
(allow svirt_lxc_net_t docker_t (lnk_file (read getattr)))
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1332 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (lnk_file (read getattr)))
(allow svirt_sandbox_domain docker_t (lnk_file (read getattr)))
<root>
allow at line 4541 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1296 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
allow at line 1332 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
(allow svirt_sandbox_domain docker_t (lnk_file (read getattr)))
(allow sysadm_usertype docker_t (peer (recv)))
<root>
allow at line 5458 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5470 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 7365 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
optional at line 7631 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
allow at line 7640 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
<root>
optional at line 7365 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
optional at line 7631 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
allow at line 7649 of /var/lib/selinux/targeted/tmp/modules/100/sysadm/cil
(allow sysadm_usertype daemon (peer (recv)))
(allow docker_t user_usertype (tcp_socket (recvfrom)))
<root>
allow at line 4502 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
allow at line 5465 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
<root>
optional at line 1257 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2783 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
optional at line 2786 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
allow at line 2793 of /var/lib/selinux/targeted/tmp/modules/100/unprivuser/cil
(allow daemon user_usertype (tcp_socket (recvfrom)))
(allow direct_run_init docker_t (process (noatsecure siginh rlimitinh)))
[-- Attachment #3: docker.te --]
[-- Type: text/plain, Size: 12162 bytes --]
policy_module(docker, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether docker can
## connect to all TCP ports.
## </p>
## </desc>
gen_tunable(docker_connect_any, false)
type docker_t;
type docker_exec_t;
init_daemon_domain(docker_t, docker_exec_t)
domain_subj_id_change_exemption(docker_t)
domain_role_change_exemption(docker_t)
type spc_t;
domain_type(spc_t)
role system_r types spc_t;
type docker_auth_t;
type docker_auth_exec_t;
init_daemon_domain(docker_auth_t, docker_auth_exec_t)
type spc_var_run_t;
files_pid_file(spc_var_run_t)
type docker_var_lib_t;
files_type(docker_var_lib_t)
type docker_home_t;
userdom_user_home_content(docker_home_t)
type docker_config_t;
files_config_file(docker_config_t)
type docker_lock_t;
files_lock_file(docker_lock_t)
type docker_log_t;
logging_log_file(docker_log_t)
type docker_tmp_t;
files_tmp_file(docker_tmp_t)
type docker_tmpfs_t;
files_tmpfs_file(docker_tmpfs_t)
type docker_var_run_t;
files_pid_file(docker_var_run_t)
type docker_plugin_var_run_t;
files_pid_file(docker_plugin_var_run_t)
type docker_unit_file_t;
systemd_unit_file(docker_unit_file_t)
type docker_devpts_t;
term_pty(docker_devpts_t)
type docker_share_t;
files_type(docker_share_t)
########################################
#
# docker local policy
#
allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap };
allow docker_t self:tun_socket relabelto;
allow docker_t self:process { getattr signal_perms setrlimit setfscreate };
allow docker_t self:fifo_file rw_fifo_file_perms;
allow docker_t self:unix_stream_socket create_stream_socket_perms;
allow docker_t self:tcp_socket create_stream_socket_perms;
allow docker_t self:udp_socket create_socket_perms;
allow docker_t self:capability2 block_suspend;
docker_auth_stream_connect(docker_t)
manage_files_pattern(docker_t, docker_home_t, docker_home_t)
manage_dirs_pattern(docker_t, docker_home_t, docker_home_t)
manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t)
userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker")
manage_dirs_pattern(docker_t, docker_config_t, docker_config_t)
manage_files_pattern(docker_t, docker_config_t, docker_config_t)
files_etc_filetrans(docker_t, docker_config_t, dir, "docker")
manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
manage_files_pattern(docker_t, docker_log_t, docker_log_t)
manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto };
filetrans_pattern(docker_t, docker_var_lib_t, docker_log_t, file, "container-json.log")
manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
allow docker_t docker_tmpfs_t:dir relabelfrom;
can_exec(docker_t, docker_tmpfs_t)
fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
allow docker_t docker_tmpfs_t:chr_file mounton;
manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
manage_files_pattern(docker_t, docker_share_t, docker_share_t)
manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto };
can_exec(docker_t, docker_share_t)
#docker_filetrans_named_content(docker_t)
manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
manage_fifo_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(docker_t, docker_devpts_t)
kernel_read_system_state(docker_t)
kernel_read_network_state(docker_t)
kernel_read_all_sysctls(docker_t)
kernel_rw_net_sysctls(docker_t)
kernel_setsched(docker_t)
kernel_read_all_proc(docker_t)
domain_use_interactive_fds(docker_t)
domain_dontaudit_read_all_domains_state(docker_t)
corecmd_exec_bin(docker_t)
corecmd_exec_shell(docker_t)
corenet_tcp_bind_generic_node(docker_t)
corenet_tcp_sendrecv_generic_if(docker_t)
corenet_tcp_sendrecv_generic_node(docker_t)
corenet_tcp_sendrecv_generic_port(docker_t)
corenet_tcp_bind_all_ports(docker_t)
corenet_tcp_connect_http_port(docker_t)
corenet_tcp_connect_commplex_main_port(docker_t)
corenet_udp_sendrecv_generic_if(docker_t)
corenet_udp_sendrecv_generic_node(docker_t)
corenet_udp_sendrecv_all_ports(docker_t)
corenet_udp_bind_generic_node(docker_t)
corenet_udp_bind_all_ports(docker_t)
files_read_config_files(docker_t)
files_dontaudit_getattr_all_dirs(docker_t)
files_dontaudit_getattr_all_files(docker_t)
fs_read_cgroup_files(docker_t)
fs_read_tmpfs_symlinks(docker_t)
fs_search_all(docker_t)
fs_getattr_all_fs(docker_t)
storage_raw_rw_fixed_disk(docker_t)
auth_use_nsswitch(docker_t)
auth_dontaudit_getattr_shadow(docker_t)
init_read_state(docker_t)
init_status(docker_t)
logging_send_audit_msgs(docker_t)
logging_send_syslog_msg(docker_t)
miscfiles_read_localization(docker_t)
mount_domtrans(docker_t)
seutil_read_default_contexts(docker_t)
seutil_read_config(docker_t)
sysnet_dns_name_resolve(docker_t)
sysnet_exec_ifconfig(docker_t)
optional_policy(`
rpm_exec(docker_t)
rpm_read_db(docker_t)
rpm_exec(docker_t)
')
optional_policy(`
fstools_domtrans(docker_t)
')
optional_policy(`
iptables_domtrans(docker_t)
')
optional_policy(`
openvswitch_stream_connect(docker_t)
')
#
# lxc rules
#
allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow docker_t docker_var_lib_t:dir mounton;
allow docker_t docker_var_lib_t:chr_file mounton;
can_exec(docker_t, docker_var_lib_t)
kernel_dontaudit_setsched(docker_t)
kernel_get_sysvipc_info(docker_t)
kernel_request_load_module(docker_t)
kernel_mounton_messages(docker_t)
kernel_mounton_all_proc(docker_t)
kernel_mounton_all_sysctls(docker_t)
dev_getattr_all(docker_t)
dev_getattr_sysfs_fs(docker_t)
dev_read_urand(docker_t)
dev_read_lvm_control(docker_t)
dev_rw_sysfs(docker_t)
dev_rw_loop_control(docker_t)
dev_rw_lvm_control(docker_t)
files_getattr_isid_type_dirs(docker_t)
files_manage_isid_type_dirs(docker_t)
files_manage_isid_type_files(docker_t)
files_manage_isid_type_symlinks(docker_t)
files_manage_isid_type_chr_files(docker_t)
files_manage_isid_type_blk_files(docker_t)
files_exec_isid_files(docker_t)
files_mounton_isid(docker_t)
files_mounton_non_security(docker_t)
files_mounton_isid_type_chr_file(docker_t)
fs_mount_all_fs(docker_t)
fs_unmount_all_fs(docker_t)
fs_remount_all_fs(docker_t)
files_mounton_isid(docker_t)
fs_manage_cgroup_dirs(docker_t)
fs_manage_cgroup_files(docker_t)
fs_relabelfrom_xattr_fs(docker_t)
fs_relabelfrom_tmpfs(docker_t)
fs_read_tmpfs_symlinks(docker_t)
fs_list_hugetlbfs(docker_t)
term_use_generic_ptys(docker_t)
term_use_ptmx(docker_t)
term_getattr_pty_fs(docker_t)
term_relabel_pty_fs(docker_t)
term_mounton_unallocated_ttys(docker_t)
modutils_domtrans_insmod(docker_t)
systemd_status_all_unit_files(docker_t)
systemd_start_systemd_services(docker_t)
userdom_stream_connect(docker_t)
userdom_search_user_home_content(docker_t)
userdom_read_all_users_state(docker_t)
userdom_relabel_user_home_files(docker_t)
userdom_relabel_user_tmp_files(docker_t)
userdom_relabel_user_tmp_dirs(docker_t)
optional_policy(`
gpm_getattr_gpmctl(docker_t)
')
optional_policy(`
dbus_system_bus_client(docker_t)
init_dbus_chat(docker_t)
init_start_transient_unit(docker_t)
optional_policy(`
systemd_dbus_chat_logind(docker_t)
systemd_dbus_chat_machined(docker_t)
')
optional_policy(`
firewalld_dbus_chat(docker_t)
')
')
optional_policy(`
udev_read_db(docker_t)
')
optional_policy(`
unconfined_domain(docker_t)
unconfined_typebounds(docker_t)
')
optional_policy(`
virt_read_config(docker_t)
virt_exec(docker_t)
virt_stream_connect(docker_t)
virt_stream_connect_sandbox(docker_t)
virt_exec_sandbox_files(docker_t)
virt_manage_sandbox_files(docker_t)
virt_relabel_sandbox_filesystem(docker_t)
# for lxc
virt_transition_svirt_sandbox(docker_t, system_r)
virt_mounton_sandbox_file(docker_t)
# virt_attach_sandbox_tun_iface(docker_t)
allow docker_t svirt_sandbox_domain:tun_socket relabelfrom;
virt_sandbox_entrypoint(docker_t)
')
tunable_policy(`docker_connect_any',`
corenet_tcp_connect_all_ports(docker_t)
corenet_sendrecv_all_packets(docker_t)
corenet_tcp_sendrecv_all_ports(docker_t)
')
########################################
#
# spc local policy
#
allow spc_t { docker_var_lib_t docker_share_t }:file entrypoint;
role system_r types spc_t;
domtrans_pattern(docker_t, docker_share_t, spc_t)
domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
allow docker_t spc_t:process { setsched signal_perms };
ps_process_pattern(docker_t, spc_t)
allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
filetrans_pattern(docker_t, docker_var_lib_t, docker_share_t, dir, "overlay")
optional_policy(`
systemd_dbus_chat_machined(spc_t)
')
optional_policy(`
dbus_chat_system_bus(spc_t)
')
optional_policy(`
unconfined_domain_noaudit(spc_t)
')
optional_policy(`
virt_transition_svirt_sandbox(spc_t, system_r)
virt_sandbox_entrypoint(spc_t)
')
########################################
#
# docker_auth local policy
#
allow docker_auth_t self:fifo_file rw_fifo_file_perms;
allow docker_auth_t self:unix_stream_socket create_stream_socket_perms;
dontaudit docker_auth_t self:capability net_admin;
docker_stream_connect(docker_auth_t)
manage_dirs_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
manage_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
manage_sock_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
manage_lnk_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
files_pid_filetrans(docker_auth_t, docker_plugin_var_run_t, { dir file lnk_file sock_file })
domain_use_interactive_fds(docker_auth_t)
kernel_read_net_sysctls(docker_auth_t)
auth_use_nsswitch(docker_auth_t)
files_read_etc_files(docker_auth_t)
miscfiles_read_localization(docker_auth_t)
sysnet_dns_name_resolve(docker_auth_t)
gen_require(`
type unconfined_t;
attribute daemon;
')
allow daemon unconfined_t:unix_stream_socket connectto;
[-- Attachment #4: docker.fc --]
[-- Type: text/plain, Size: 2638 bytes --]
/root/\.docker gen_context(system_u:object_r:docker_home_t,s0)
/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:docker_exec_t,s0)
/usr/bin/docker.* -- gen_context(system_u:object_r:docker_exec_t,s0)
/usr/bin/docker-latest -- gen_context(system_u:object_r:docker_exec_t,s0)
/usr/bin/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0)
/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0)
/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
/usr/lib/systemd/system/docker-novolume-plugin.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0)
/etc/docker-latest(/.*)? gen_context(system_u:object_r:docker_config_t,s0)
/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
/var/lib/docker-latest/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:docker_log_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:docker_log_t,s0)
/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
/var/lib/kublet(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
/var/run/docker(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:docker_plugin_var_run_t,s0)
/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
[-- Attachment #5: docker.if --]
[-- Type: text/plain, Size: 10992 bytes --]
## <summary>The open-source application container engine.</summary>
########################################
## <summary>
## Execute docker in the docker domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_domtrans',`
gen_require(`
type docker_t, docker_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, docker_exec_t, docker_t)
')
########################################
## <summary>
## Execute docker in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_exec',`
gen_require(`
type docker_exec_t;
')
corecmd_search_bin($1)
can_exec($1, docker_exec_t)
')
########################################
## <summary>
## Search docker lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_search_lib',`
gen_require(`
type docker_var_lib_t;
')
allow $1 docker_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Execute docker lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_exec_lib',`
gen_require(`
type docker_var_lib_t;
')
allow $1 docker_var_lib_t:dir search_dir_perms;
can_exec($1, docker_var_lib_t)
')
########################################
## <summary>
## Read docker lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_read_lib_files',`
gen_require(`
type docker_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
')
########################################
## <summary>
## Read docker share files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_read_share_files',`
gen_require(`
type docker_share_t;
')
files_search_var_lib($1)
list_dirs_pattern($1, docker_share_t, docker_share_t)
read_files_pattern($1, docker_share_t, docker_share_t)
read_lnk_files_pattern($1, docker_share_t, docker_share_t)
')
######################################
## <summary>
## Allow the specified domain to execute apache
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_exec',`
gen_require(`
type httpd_exec_t;
')
can_exec($1, httpd_exec_t)
')
######################################
## <summary>
## Allow the specified domain to execute docker shared files
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_exec_share_files',`
gen_require(`
type docker_share_t;
')
can_exec($1, docker_share_t)
')
########################################
## <summary>
## Manage docker lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_manage_lib_files',`
gen_require(`
type docker_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
')
########################################
## <summary>
## Manage docker lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_manage_lib_dirs',`
gen_require(`
type docker_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
')
########################################
## <summary>
## Create objects in a docker var lib directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`docker_lib_filetrans',`
gen_require(`
type docker_var_lib_t;
')
filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
')
########################################
## <summary>
## Read docker PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_read_pid_files',`
gen_require(`
type docker_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, docker_var_run_t, docker_var_run_t)
')
########################################
## <summary>
## Execute docker server in the docker domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_systemctl',`
gen_require(`
type docker_t;
type docker_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 docker_unit_file_t:file read_file_perms;
allow $1 docker_unit_file_t:service manage_service_perms;
ps_process_pattern($1, docker_t)
')
########################################
## <summary>
## Read and write docker shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_rw_sem',`
gen_require(`
type docker_t;
')
allow $1 docker_t:sem rw_sem_perms;
')
#######################################
## <summary>
## Read and write the docker pty type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_use_ptys',`
gen_require(`
type docker_devpts_t;
')
allow $1 docker_devpts_t:chr_file rw_term_perms;
')
#######################################
## <summary>
## Allow domain to create docker content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_filetrans_named_content',`
gen_require(`
type docker_var_lib_t;
type docker_share_t;
type docker_log_t;
type docker_var_run_t;
type docker_home_t;
')
files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
logging_log_filetrans($1, docker_log_t, dir, "lxc")
files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
')
########################################
## <summary>
## Connect to docker over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_stream_connect',`
gen_require(`
type docker_t, docker_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
')
########################################
## <summary>
## Connect to SPC containers over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_spc_stream_connect',`
gen_require(`
type spc_t, spc_var_run_t;
')
files_search_pids($1)
files_write_all_pid_sockets($1)
allow $1 spc_t:unix_stream_socket connectto;
')
########################################
## <summary>
## All of the rules required to administrate
## an docker environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_admin',`
gen_require(`
type docker_t;
type docker_var_lib_t, docker_var_run_t;
type docker_unit_file_t;
type docker_lock_t;
type docker_log_t;
type docker_config_t;
')
allow $1 docker_t:process { ptrace signal_perms };
ps_process_pattern($1, docker_t)
admin_pattern($1, docker_config_t)
files_search_var_lib($1)
admin_pattern($1, docker_var_lib_t)
files_search_pids($1)
admin_pattern($1, docker_var_run_t)
files_search_locks($1)
admin_pattern($1, docker_lock_t)
logging_search_logs($1)
admin_pattern($1, docker_log_t)
docker_systemctl($1)
admin_pattern($1, docker_unit_file_t)
allow $1 docker_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
########################################
## <summary>
## Execute docker_auth_exec_t in the docker_auth domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_auth_domtrans',`
gen_require(`
type docker_auth_t, docker_auth_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
')
######################################
## <summary>
## Execute docker_auth in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_auth_exec',`
gen_require(`
type docker_auth_exec_t;
')
corecmd_search_bin($1)
can_exec($1, docker_auth_exec_t)
')
########################################
## <summary>
## Connect to docker_auth over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_auth_stream_connect',`
gen_require(`
type docker_auth_t, docker_plugin_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
')
########################################
## <summary>
## docker domain typebounds calling domain.
## </summary>
## <param name="domain">
## <summary>
## Domain to be typebound.
## </summary>
## </param>
#
interface(`docker_typebounds',`
gen_require(`
type docker_t;
')
typebounds docker_t $1;
')
########################################
## <summary>
## Allow any docker_exec_t to be an entrypoint of this domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`docker_entrypoint',`
gen_require(`
type docker_exec_t;
')
allow $1 docker_exec_t:file entrypoint;
')
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 13:15 Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t Daniel J Walsh
@ 2016-04-28 14:24 ` Dominick Grift
2016-04-28 15:05 ` James Carter
2016-04-28 15:21 ` Stephen Smalley
2 siblings, 0 replies; 14+ messages in thread
From: Dominick Grift @ 2016-04-28 14:24 UTC (permalink / raw)
To: selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 04/28/2016 03:15 PM, Daniel J Walsh wrote:
<snip>
>
> Why does typebounds care about when a domain is the target of an
> access, I think it should only remove options when it is the
> source.
>
I think the answer to your question is in this thread:
https://www.spinics.net/lists/selinux/msg16262.html
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXIh0UAAoJECV0jlU3+UdpAvkL/RFPlH4Dwt/+cmVer8+FdGFo
wW9cFKQWCmHJBL/epwytSvhqkOJpG7oOuTVT4Iw01FaehPfmui0PRXrjc6Zfn3FA
VT+nyVtqnPt8Ai0IWoaewLl3F8y/BkgUEifQNJ+rgLz069ZDuxVPdjfP5SHgF6cT
q3tCfUH5FSV+gSK9fN9XPOP3FZQUG37IsQS14flOapbm0xXI8BaueyhV8STlgbTt
q0CBntL3vR4+qGz//E6GB/idsfpKmGnD9AJiPM35uvEnRc7XDk3SkNBGuK63eiKJ
B0UXjsLw1L6TcT83vmWDmWOvhKEFTfpPN5XlbHajtpq/YMR4YTzFGs+lU3gXvxJu
WTxPO2Kio8YLrnHcABgbZKRxo+0UCQdTCo5doMCL9SPdvUFQVOG04DGsPg3EOw1Q
pz6blAM9VHqgT/0oli1vSgP0+rgYwy9Y5d9APao90F1qil0gL9bac0K6btcfStD+
Ibs1ZjHtFpdgreX0oB5vnJWIDFJE/3W1apfbd3j8lQ==
=bfoh
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 13:15 Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t Daniel J Walsh
2016-04-28 14:24 ` Dominick Grift
@ 2016-04-28 15:05 ` James Carter
2016-04-28 15:21 ` Stephen Smalley
2 siblings, 0 replies; 14+ messages in thread
From: James Carter @ 2016-04-28 15:05 UTC (permalink / raw)
To: Daniel J Walsh, SELinux, Stephen Smalley
On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>
> typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>
> typebounds docker_t spc_t; #spc_t is an unconfined domain
>
> typeboulds docker_t docker_lxc_net_t;
>
>
> docker, rkt, systemd-nspawn, runc are all executing setexeccon(svirt_lxc_net_t)
>
> For container domains.
>
> Everything works fine until I turn on expand_check in semanage.conf, which we
> have been asked to do in Rawhide.
>
>
> Attached is the current Rawhide docker policy. And here is the output from
> semodule -i before it crashes, with a segfault.
>
The segfault has been fixed in upstream if you are able to pull in fixes at this
point.
>
> Had to add this rule to make it a little quieter, which is caused by a rule in
> policy that says we allow all daemons to connecto spc_t;
>
> gen_require(`
> type unconfined_t;
> attribute daemon;
> ')
>
> allow daemon unconfined_t:unix_stream_socket connectto;
>
>
> Why does typebounds care about when a domain is the target of an access, I think
> it should only remove options when it is the source.
>
This has always been the behavior. Whether that is the desirable behavior is a
different question. To fix this would require changes in both the kernel and
userspace.
> Otherwise we end up having to loosen the policy to make this work.
>
>
> As long as docker_t does not have any more "allow docker_t" rules then "allow
> unconfined_t", shouldn't this be ok?
>
For your case, this seems to make sense.
> It seems that some or the optional code blocks are causing problems also.
>
What problem are you having with optional blocks? Maybe the bounds error
reporting is just confusing.
The following is showing a trace from the root of the policy down to the actual
rule. I find it helpful, but maybe it is confusing to others.
<root>
optional at line 4356 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 4651 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5414 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 5494 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6180 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
optional at line 6192 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
booleanif at line 6201 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
true at line 6202 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
allow at line 6205 of /var/lib/selinux/targeted/tmp/modules/100/init/cil
Jim
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 13:15 Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t Daniel J Walsh
2016-04-28 14:24 ` Dominick Grift
2016-04-28 15:05 ` James Carter
@ 2016-04-28 15:21 ` Stephen Smalley
2016-04-28 16:20 ` Daniel J Walsh
` (2 more replies)
2 siblings, 3 replies; 14+ messages in thread
From: Stephen Smalley @ 2016-04-28 15:21 UTC (permalink / raw)
To: Daniel J Walsh, James Carter, SELinux, Joshua Brindle, Paul Moore
On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>
> typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>
> typebounds docker_t spc_t; #spc_t is an unconfined domain
>
> typeboulds docker_t docker_lxc_net_t;
>
>
> docker, rkt, systemd-nspawn, runc are all executing
> setexeccon(svirt_lxc_net_t)
>
> For container domains.
>
> Everything works fine until I turn on expand_check in semanage.conf,
> which we have been asked to do in Rawhide.
>
>
> Attached is the current Rawhide docker policy. And here is the output
> from semodule -i before it crashes, with a segfault.
>
>
> Had to add this rule to make it a little quieter, which is caused by a
> rule in policy that says we allow all daemons to connecto spc_t;
>
> gen_require(`
> type unconfined_t;
> attribute daemon;
> ')
>
> allow daemon unconfined_t:unix_stream_socket connectto;
>
>
> Why does typebounds care about when a domain is the target of an access,
> I think it should only remove options when it is the source.
>
> Otherwise we end up having to loosen the policy to make this work.
>
> As long as docker_t does not have any more "allow docker_t" rules then
> "allow unconfined_t", shouldn't this be ok?
>
> It seems that some or the optional code blocks are causing problems also.
I agree that typebounds is not very usable in its current form, but I'm
not entirely clear on how to fix it.
Dropping the target bounds logic is possible; it was actually
implemented a while back by KaiGai (see the archives) but reverted
because of a side effect on /proc/pid file access. Without the target
bounds logic, you had to allow the parent domain to access all child
domains' /proc/pid files in order for the child to access their own.
That however could be worked around in policy, so possibly we could
revive those patches.
However, I don't think that solves all of the problems. For example,
even with source bounds, I can't allow a child permissions to self or to
its entrypoint file type or to its tmp file type without allowing those
permissions to the parent, which may unnecessarily escalate the
privileges of the parent or expose the parent to risk.
We might need more semantics in the policy about inter-type
relationships in order to truly evaluate bounds in a manner that permits
such usage. Patches/proposals welcome.
The other approach would be to use fork()+setcon()+execve() rather than
fork()+setexeccon()+execve() in the callers. Then you aren't subject to
typebounds at all (NNP only restricts exec-based transitions).
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 15:21 ` Stephen Smalley
@ 2016-04-28 16:20 ` Daniel J Walsh
2016-04-28 17:31 ` Stephen Smalley
2016-04-28 16:21 ` Daniel J Walsh
2016-04-29 15:48 ` Stephen Smalley
2 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2016-04-28 16:20 UTC (permalink / raw)
To: Stephen Smalley, James Carter, SELinux, Joshua Brindle,
Paul Moore
[-- Attachment #1: Type: text/plain, Size: 3263 bytes --]
On 04/28/2016 11:21 AM, Stephen Smalley wrote:
> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>> >
>> >typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>> >
>> >typebounds docker_t spc_t; #spc_t is an unconfined domain
>> >
>> >typeboulds docker_t docker_lxc_net_t;
>> >
>> >
>> >docker, rkt, systemd-nspawn, runc are all executing
>> >setexeccon(svirt_lxc_net_t)
>> >
>> >For container domains.
>> >
>> >Everything works fine until I turn on expand_check in semanage.conf,
>> >which we have been asked to do in Rawhide.
>> >
>> >
>> >Attached is the current Rawhide docker policy. And here is the output
>> >from semodule -i before it crashes, with a segfault.
>> >
>> >
>> >Had to add this rule to make it a little quieter, which is caused by a
>> >rule in policy that says we allow all daemons to connecto spc_t;
>> >
>> >gen_require(`
>> >type unconfined_t;
>> >attribute daemon;
>> >')
>> >
>> >allow daemon unconfined_t:unix_stream_socket connectto;
>> >
>> >
>> >Why does typebounds care about when a domain is the target of an access,
>> >I think it should only remove options when it is the source.
>> >
>> >Otherwise we end up having to loosen the policy to make this work.
>> >
>> >As long as docker_t does not have any more "allow docker_t" rules then
>> >"allow unconfined_t", shouldn't this be ok?
>> >
>> >It seems that some or the optional code blocks are causing problems also.
> I agree that typebounds is not very usable in its current form, but I'm
> not entirely clear on how to fix it.
>
> Dropping the target bounds logic is possible; it was actually
> implemented a while back by KaiGai (see the archives) but reverted
> because of a side effect on /proc/pid file access. Without the target
> bounds logic, you had to allow the parent domain to access all child
> domains' /proc/pid files in order for the child to access their own.
> That however could be worked around in policy, so possibly we could
> revive those patches.
>
> However, I don't think that solves all of the problems. For example,
> even with source bounds, I can't allow a child permissions to self or to
> its entrypoint file type or to its tmp file type without allowing those
> permissions to the parent, which may unnecessarily escalate the
> privileges of the parent or expose the parent to risk.
>
> We might need more semantics in the policy about inter-type
> relationships in order to truly evaluate bounds in a manner that permits
> such usage. Patches/proposals welcome.
>
> The other approach would be to use fork()+setcon()+execve() rather than
> fork()+setexeccon()+execve() in the callers. Then you aren't subject to
> typebounds at all (NNP only restricts exec-based transitions).
The entrypoints are alot simpler to fix. I think just eliminating the
target checks would
go along way to making this a lot tighter policy.
I have no problem with allowing parent domain access to child domains
self fields. I think this
make some sense. This seems a lot more secure that allowing any domain
that can communicate
with the child to be able to communicate with the parent.
With the way it works now, I can not even figure out how to increase the
privs of unconfined_t or
other confined domains to actually make it work.
[-- Attachment #2: Type: text/html, Size: 5594 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 16:20 ` Daniel J Walsh
@ 2016-04-28 17:31 ` Stephen Smalley
2016-04-28 17:35 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Stephen Smalley @ 2016-04-28 17:31 UTC (permalink / raw)
To: Daniel J Walsh, James Carter, SELinux, Joshua Brindle, Paul Moore
On 04/28/2016 12:20 PM, Daniel J Walsh wrote:
>
>
> On 04/28/2016 11:21 AM, Stephen Smalley wrote:
>> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>>> >
>>> > typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>>> >
>>> > typebounds docker_t spc_t; #spc_t is an unconfined domain
>>> >
>>> > typeboulds docker_t docker_lxc_net_t;
>>> >
>>> >
>>> > docker, rkt, systemd-nspawn, runc are all executing
>>> > setexeccon(svirt_lxc_net_t)
>>> >
>>> > For container domains.
>>> >
>>> > Everything works fine until I turn on expand_check in semanage.conf,
>>> > which we have been asked to do in Rawhide.
>>> >
>>> >
>>> > Attached is the current Rawhide docker policy. And here is the output
>>> > from semodule -i before it crashes, with a segfault.
>>> >
>>> >
>>> > Had to add this rule to make it a little quieter, which is caused by a
>>> > rule in policy that says we allow all daemons to connecto spc_t;
>>> >
>>> > gen_require(`
>>> > type unconfined_t;
>>> > attribute daemon;
>>> > ')
>>> >
>>> > allow daemon unconfined_t:unix_stream_socket connectto;
>>> >
>>> >
>>> > Why does typebounds care about when a domain is the target of an access,
>>> > I think it should only remove options when it is the source.
>>> >
>>> > Otherwise we end up having to loosen the policy to make this work.
>>> >
>>> > As long as docker_t does not have any more "allow docker_t" rules then
>>> > "allow unconfined_t", shouldn't this be ok?
>>> >
>>> > It seems that some or the optional code blocks are causing problems also.
>> I agree that typebounds is not very usable in its current form, but I'm
>> not entirely clear on how to fix it.
>>
>> Dropping the target bounds logic is possible; it was actually
>> implemented a while back by KaiGai (see the archives) but reverted
>> because of a side effect on /proc/pid file access. Without the target
>> bounds logic, you had to allow the parent domain to access all child
>> domains' /proc/pid files in order for the child to access their own.
>> That however could be worked around in policy, so possibly we could
>> revive those patches.
>>
>> However, I don't think that solves all of the problems. For example,
>> even with source bounds, I can't allow a child permissions to self or to
>> its entrypoint file type or to its tmp file type without allowing those
>> permissions to the parent, which may unnecessarily escalate the
>> privileges of the parent or expose the parent to risk.
>>
>> We might need more semantics in the policy about inter-type
>> relationships in order to truly evaluate bounds in a manner that permits
>> such usage. Patches/proposals welcome.
>>
>> The other approach would be to use fork()+setcon()+execve() rather than
>> fork()+setexeccon()+execve() in the callers. Then you aren't subject to
>> typebounds at all (NNP only restricts exec-based transitions).
> The entrypoints are alot simpler to fix. I think just eliminating the
> target checks would
> go along way to making this a lot tighter policy.
>
> I have no problem with allowing parent domain access to child domains
> self fields. I think this
> make some sense. This seems a lot more secure that allowing any domain
> that can communicate
> with the child to be able to communicate with the parent.
>
> With the way it works now, I can not even figure out how to increase the
> privs of unconfined_t or
> other confined domains to actually make it work.
Ok, let's assume that we change the libsepol and kernel logic to drop
the target bounds checks. What else remains to make this work?
BTW, while I think expand-check=1 or manual semodule_link/expand is a
good idea for policy builds, I wouldn't recommend it for the default in
Fedora for users, because it could break locally-generated modules
(particularly audit2allow-generated) or third party modules.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 17:31 ` Stephen Smalley
@ 2016-04-28 17:35 ` Daniel J Walsh
2016-04-28 17:59 ` Stephen Smalley
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2016-04-28 17:35 UTC (permalink / raw)
To: Stephen Smalley, James Carter, SELinux, Joshua Brindle,
Paul Moore
On 04/28/2016 01:31 PM, Stephen Smalley wrote:
> On 04/28/2016 12:20 PM, Daniel J Walsh wrote:
>>
>> On 04/28/2016 11:21 AM, Stephen Smalley wrote:
>>> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>>>>> typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>>>>>
>>>>> typebounds docker_t spc_t; #spc_t is an unconfined domain
>>>>>
>>>>> typeboulds docker_t docker_lxc_net_t;
>>>>>
>>>>>
>>>>> docker, rkt, systemd-nspawn, runc are all executing
>>>>> setexeccon(svirt_lxc_net_t)
>>>>>
>>>>> For container domains.
>>>>>
>>>>> Everything works fine until I turn on expand_check in semanage.conf,
>>>>> which we have been asked to do in Rawhide.
>>>>>
>>>>>
>>>>> Attached is the current Rawhide docker policy. And here is the output
>>>>> from semodule -i before it crashes, with a segfault.
>>>>>
>>>>>
>>>>> Had to add this rule to make it a little quieter, which is caused by a
>>>>> rule in policy that says we allow all daemons to connecto spc_t;
>>>>>
>>>>> gen_require(`
>>>>> type unconfined_t;
>>>>> attribute daemon;
>>>>> ')
>>>>>
>>>>> allow daemon unconfined_t:unix_stream_socket connectto;
>>>>>
>>>>>
>>>>> Why does typebounds care about when a domain is the target of an access,
>>>>> I think it should only remove options when it is the source.
>>>>>
>>>>> Otherwise we end up having to loosen the policy to make this work.
>>>>>
>>>>> As long as docker_t does not have any more "allow docker_t" rules then
>>>>> "allow unconfined_t", shouldn't this be ok?
>>>>>
>>>>> It seems that some or the optional code blocks are causing problems also.
>>> I agree that typebounds is not very usable in its current form, but I'm
>>> not entirely clear on how to fix it.
>>>
>>> Dropping the target bounds logic is possible; it was actually
>>> implemented a while back by KaiGai (see the archives) but reverted
>>> because of a side effect on /proc/pid file access. Without the target
>>> bounds logic, you had to allow the parent domain to access all child
>>> domains' /proc/pid files in order for the child to access their own.
>>> That however could be worked around in policy, so possibly we could
>>> revive those patches.
>>>
>>> However, I don't think that solves all of the problems. For example,
>>> even with source bounds, I can't allow a child permissions to self or to
>>> its entrypoint file type or to its tmp file type without allowing those
>>> permissions to the parent, which may unnecessarily escalate the
>>> privileges of the parent or expose the parent to risk.
>>>
>>> We might need more semantics in the policy about inter-type
>>> relationships in order to truly evaluate bounds in a manner that permits
>>> such usage. Patches/proposals welcome.
>>>
>>> The other approach would be to use fork()+setcon()+execve() rather than
>>> fork()+setexeccon()+execve() in the callers. Then you aren't subject to
>>> typebounds at all (NNP only restricts exec-based transitions).
>> The entrypoints are alot simpler to fix. I think just eliminating the
>> target checks would
>> go along way to making this a lot tighter policy.
>>
>> I have no problem with allowing parent domain access to child domains
>> self fields. I think this
>> make some sense. This seems a lot more secure that allowing any domain
>> that can communicate
>> with the child to be able to communicate with the parent.
>>
>> With the way it works now, I can not even figure out how to increase the
>> privs of unconfined_t or
>> other confined domains to actually make it work.
> Ok, let's assume that we change the libsepol and kernel logic to drop
> the target bounds checks. What else remains to make this work?
Looking at the output from the semodule command, I see some other
strange errors like this.
(allow docker_t cluster_pid (sock_file (write getattr append open)))
I have no idea why it would complain about this. Other then potentially
problems caused by optional policy?
> BTW, while I think expand-check=1 or manual semodule_link/expand is a
> good idea for policy builds, I wouldn't recommend it for the default in
> Fedora for users, because it could break locally-generated modules
> (particularly audit2allow-generated) or third party modules.
>
Yes that is a good point. We should probably remove this from Rawhide.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 17:35 ` Daniel J Walsh
@ 2016-04-28 17:59 ` Stephen Smalley
2016-04-28 18:07 ` Daniel J Walsh
0 siblings, 1 reply; 14+ messages in thread
From: Stephen Smalley @ 2016-04-28 17:59 UTC (permalink / raw)
To: Daniel J Walsh, James Carter, SELinux, Joshua Brindle, Paul Moore
On 04/28/2016 01:35 PM, Daniel J Walsh wrote:
>
>
> On 04/28/2016 01:31 PM, Stephen Smalley wrote:
>> On 04/28/2016 12:20 PM, Daniel J Walsh wrote:
>>>
>>> On 04/28/2016 11:21 AM, Stephen Smalley wrote:
>>>> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>>>>>> typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>>>>>>
>>>>>> typebounds docker_t spc_t; #spc_t is an unconfined domain
>>>>>>
>>>>>> typeboulds docker_t docker_lxc_net_t;
>>>>>>
>>>>>>
>>>>>> docker, rkt, systemd-nspawn, runc are all executing
>>>>>> setexeccon(svirt_lxc_net_t)
>>>>>>
>>>>>> For container domains.
>>>>>>
>>>>>> Everything works fine until I turn on expand_check in semanage.conf,
>>>>>> which we have been asked to do in Rawhide.
>>>>>>
>>>>>>
>>>>>> Attached is the current Rawhide docker policy. And here is the
>>>>>> output
>>>>>> from semodule -i before it crashes, with a segfault.
>>>>>>
>>>>>>
>>>>>> Had to add this rule to make it a little quieter, which is caused
>>>>>> by a
>>>>>> rule in policy that says we allow all daemons to connecto spc_t;
>>>>>>
>>>>>> gen_require(`
>>>>>> type unconfined_t;
>>>>>> attribute daemon;
>>>>>> ')
>>>>>>
>>>>>> allow daemon unconfined_t:unix_stream_socket connectto;
>>>>>>
>>>>>>
>>>>>> Why does typebounds care about when a domain is the target of an
>>>>>> access,
>>>>>> I think it should only remove options when it is the source.
>>>>>>
>>>>>> Otherwise we end up having to loosen the policy to make this work.
>>>>>>
>>>>>> As long as docker_t does not have any more "allow docker_t" rules
>>>>>> then
>>>>>> "allow unconfined_t", shouldn't this be ok?
>>>>>>
>>>>>> It seems that some or the optional code blocks are causing
>>>>>> problems also.
>>>> I agree that typebounds is not very usable in its current form, but I'm
>>>> not entirely clear on how to fix it.
>>>>
>>>> Dropping the target bounds logic is possible; it was actually
>>>> implemented a while back by KaiGai (see the archives) but reverted
>>>> because of a side effect on /proc/pid file access. Without the target
>>>> bounds logic, you had to allow the parent domain to access all child
>>>> domains' /proc/pid files in order for the child to access their own.
>>>> That however could be worked around in policy, so possibly we could
>>>> revive those patches.
>>>>
>>>> However, I don't think that solves all of the problems. For example,
>>>> even with source bounds, I can't allow a child permissions to self
>>>> or to
>>>> its entrypoint file type or to its tmp file type without allowing those
>>>> permissions to the parent, which may unnecessarily escalate the
>>>> privileges of the parent or expose the parent to risk.
>>>>
>>>> We might need more semantics in the policy about inter-type
>>>> relationships in order to truly evaluate bounds in a manner that
>>>> permits
>>>> such usage. Patches/proposals welcome.
>>>>
>>>> The other approach would be to use fork()+setcon()+execve() rather than
>>>> fork()+setexeccon()+execve() in the callers. Then you aren't
>>>> subject to
>>>> typebounds at all (NNP only restricts exec-based transitions).
>>> The entrypoints are alot simpler to fix. I think just eliminating the
>>> target checks would
>>> go along way to making this a lot tighter policy.
>>>
>>> I have no problem with allowing parent domain access to child domains
>>> self fields. I think this
>>> make some sense. This seems a lot more secure that allowing any domain
>>> that can communicate
>>> with the child to be able to communicate with the parent.
>>>
>>> With the way it works now, I can not even figure out how to increase the
>>> privs of unconfined_t or
>>> other confined domains to actually make it work.
>> Ok, let's assume that we change the libsepol and kernel logic to drop
>> the target bounds checks. What else remains to make this work?
> Looking at the output from the semodule command, I see some other
> strange errors like this.
>
> (allow docker_t cluster_pid (sock_file (write getattr append open)))
>
>
> I have no idea why it would complain about this. Other then potentially
> problems caused by optional policy?
$ sesearch -A -s docker_t -t cluster_pid -c sock_file
Found 1 semantic av rules:
allow daemon cluster_pid : sock_file { write getattr append open } ;
$ sesearch -A -s unconfined_t -t cluster_pid -c sock_file
<no output>
So that is a legitimate violation of the bound and would be denied by
the kernel if it were attempted. Either you need to allow it to
unconfined_t or tighten up that rule so that docker_t isn't included
(why should all daemon domains be allowed to do that?).
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 17:59 ` Stephen Smalley
@ 2016-04-28 18:07 ` Daniel J Walsh
2016-04-28 18:36 ` Stephen Smalley
0 siblings, 1 reply; 14+ messages in thread
From: Daniel J Walsh @ 2016-04-28 18:07 UTC (permalink / raw)
To: Stephen Smalley, James Carter, SELinux, Joshua Brindle,
Paul Moore
On 04/28/2016 01:59 PM, Stephen Smalley wrote:
> On 04/28/2016 01:35 PM, Daniel J Walsh wrote:
>>
>> On 04/28/2016 01:31 PM, Stephen Smalley wrote:
>>> On 04/28/2016 12:20 PM, Daniel J Walsh wrote:
>>>> On 04/28/2016 11:21 AM, Stephen Smalley wrote:
>>>>> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>>>>>>> typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>>>>>>>
>>>>>>> typebounds docker_t spc_t; #spc_t is an unconfined domain
>>>>>>>
>>>>>>> typeboulds docker_t docker_lxc_net_t;
>>>>>>>
>>>>>>>
>>>>>>> docker, rkt, systemd-nspawn, runc are all executing
>>>>>>> setexeccon(svirt_lxc_net_t)
>>>>>>>
>>>>>>> For container domains.
>>>>>>>
>>>>>>> Everything works fine until I turn on expand_check in semanage.conf,
>>>>>>> which we have been asked to do in Rawhide.
>>>>>>>
>>>>>>>
>>>>>>> Attached is the current Rawhide docker policy. And here is the
>>>>>>> output
>>>>>>> from semodule -i before it crashes, with a segfault.
>>>>>>>
>>>>>>>
>>>>>>> Had to add this rule to make it a little quieter, which is caused
>>>>>>> by a
>>>>>>> rule in policy that says we allow all daemons to connecto spc_t;
>>>>>>>
>>>>>>> gen_require(`
>>>>>>> type unconfined_t;
>>>>>>> attribute daemon;
>>>>>>> ')
>>>>>>>
>>>>>>> allow daemon unconfined_t:unix_stream_socket connectto;
>>>>>>>
>>>>>>>
>>>>>>> Why does typebounds care about when a domain is the target of an
>>>>>>> access,
>>>>>>> I think it should only remove options when it is the source.
>>>>>>>
>>>>>>> Otherwise we end up having to loosen the policy to make this work.
>>>>>>>
>>>>>>> As long as docker_t does not have any more "allow docker_t" rules
>>>>>>> then
>>>>>>> "allow unconfined_t", shouldn't this be ok?
>>>>>>>
>>>>>>> It seems that some or the optional code blocks are causing
>>>>>>> problems also.
>>>>> I agree that typebounds is not very usable in its current form, but I'm
>>>>> not entirely clear on how to fix it.
>>>>>
>>>>> Dropping the target bounds logic is possible; it was actually
>>>>> implemented a while back by KaiGai (see the archives) but reverted
>>>>> because of a side effect on /proc/pid file access. Without the target
>>>>> bounds logic, you had to allow the parent domain to access all child
>>>>> domains' /proc/pid files in order for the child to access their own.
>>>>> That however could be worked around in policy, so possibly we could
>>>>> revive those patches.
>>>>>
>>>>> However, I don't think that solves all of the problems. For example,
>>>>> even with source bounds, I can't allow a child permissions to self
>>>>> or to
>>>>> its entrypoint file type or to its tmp file type without allowing those
>>>>> permissions to the parent, which may unnecessarily escalate the
>>>>> privileges of the parent or expose the parent to risk.
>>>>>
>>>>> We might need more semantics in the policy about inter-type
>>>>> relationships in order to truly evaluate bounds in a manner that
>>>>> permits
>>>>> such usage. Patches/proposals welcome.
>>>>>
>>>>> The other approach would be to use fork()+setcon()+execve() rather than
>>>>> fork()+setexeccon()+execve() in the callers. Then you aren't
>>>>> subject to
>>>>> typebounds at all (NNP only restricts exec-based transitions).
>>>> The entrypoints are alot simpler to fix. I think just eliminating the
>>>> target checks would
>>>> go along way to making this a lot tighter policy.
>>>>
>>>> I have no problem with allowing parent domain access to child domains
>>>> self fields. I think this
>>>> make some sense. This seems a lot more secure that allowing any domain
>>>> that can communicate
>>>> with the child to be able to communicate with the parent.
>>>>
>>>> With the way it works now, I can not even figure out how to increase the
>>>> privs of unconfined_t or
>>>> other confined domains to actually make it work.
>>> Ok, let's assume that we change the libsepol and kernel logic to drop
>>> the target bounds checks. What else remains to make this work?
>> Looking at the output from the semodule command, I see some other
>> strange errors like this.
>>
>> (allow docker_t cluster_pid (sock_file (write getattr append open)))
>>
>>
>> I have no idea why it would complain about this. Other then potentially
>> problems caused by optional policy?
> $ sesearch -A -s docker_t -t cluster_pid -c sock_file
> Found 1 semantic av rules:
> allow daemon cluster_pid : sock_file { write getattr append open } ;
>
> $ sesearch -A -s unconfined_t -t cluster_pid -c sock_file
> <no output>
>
> So that is a legitimate violation of the bound and would be denied by
> the kernel if it were attempted. Either you need to allow it to
> unconfined_t or tighten up that rule so that docker_t isn't included
> (why should all daemon domains be allowed to do that?).
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file
blk_file } *;
So unless cluster_pid refers to something that is not a file_type, then
I think unconfined_t can do it.
No idea why this is allowed.
seinfo -acluster_pid -x
cluster_pid
dlm_controld_var_run_t
fenced_var_run_t
foghorn_var_run_t
gfs_controld_var_run_t
haproxy_var_run_t
groupd_var_run_t
qdiskd_var_run_t
cluster_var_run_t
Probably because of you can run any daemon on a cluster and they have to
be able to write to the cluster socket files.
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 18:07 ` Daniel J Walsh
@ 2016-04-28 18:36 ` Stephen Smalley
2016-04-29 8:19 ` Miroslav Grepl
0 siblings, 1 reply; 14+ messages in thread
From: Stephen Smalley @ 2016-04-28 18:36 UTC (permalink / raw)
To: Daniel J Walsh, James Carter, SELinux, Joshua Brindle, Paul Moore
On 04/28/2016 02:07 PM, Daniel J Walsh wrote:
>
>
> On 04/28/2016 01:59 PM, Stephen Smalley wrote:
>> On 04/28/2016 01:35 PM, Daniel J Walsh wrote:
>>>
>>> On 04/28/2016 01:31 PM, Stephen Smalley wrote:
>>>> On 04/28/2016 12:20 PM, Daniel J Walsh wrote:
>>>>> On 04/28/2016 11:21 AM, Stephen Smalley wrote:
>>>>>> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>>>>>>>> typebounds unconfined_t docker_t; # docker_t is an unconfined
>>>>>>>> domain
>>>>>>>>
>>>>>>>> typebounds docker_t spc_t; #spc_t is an unconfined domain
>>>>>>>>
>>>>>>>> typeboulds docker_t docker_lxc_net_t;
>>>>>>>>
>>>>>>>>
>>>>>>>> docker, rkt, systemd-nspawn, runc are all executing
>>>>>>>> setexeccon(svirt_lxc_net_t)
>>>>>>>>
>>>>>>>> For container domains.
>>>>>>>>
>>>>>>>> Everything works fine until I turn on expand_check in
>>>>>>>> semanage.conf,
>>>>>>>> which we have been asked to do in Rawhide.
>>>>>>>>
>>>>>>>>
>>>>>>>> Attached is the current Rawhide docker policy. And here is the
>>>>>>>> output
>>>>>>>> from semodule -i before it crashes, with a segfault.
>>>>>>>>
>>>>>>>>
>>>>>>>> Had to add this rule to make it a little quieter, which is caused
>>>>>>>> by a
>>>>>>>> rule in policy that says we allow all daemons to connecto spc_t;
>>>>>>>>
>>>>>>>> gen_require(`
>>>>>>>> type unconfined_t;
>>>>>>>> attribute daemon;
>>>>>>>> ')
>>>>>>>>
>>>>>>>> allow daemon unconfined_t:unix_stream_socket connectto;
>>>>>>>>
>>>>>>>>
>>>>>>>> Why does typebounds care about when a domain is the target of an
>>>>>>>> access,
>>>>>>>> I think it should only remove options when it is the source.
>>>>>>>>
>>>>>>>> Otherwise we end up having to loosen the policy to make this work.
>>>>>>>>
>>>>>>>> As long as docker_t does not have any more "allow docker_t" rules
>>>>>>>> then
>>>>>>>> "allow unconfined_t", shouldn't this be ok?
>>>>>>>>
>>>>>>>> It seems that some or the optional code blocks are causing
>>>>>>>> problems also.
>>>>>> I agree that typebounds is not very usable in its current form,
>>>>>> but I'm
>>>>>> not entirely clear on how to fix it.
>>>>>>
>>>>>> Dropping the target bounds logic is possible; it was actually
>>>>>> implemented a while back by KaiGai (see the archives) but reverted
>>>>>> because of a side effect on /proc/pid file access. Without the
>>>>>> target
>>>>>> bounds logic, you had to allow the parent domain to access all child
>>>>>> domains' /proc/pid files in order for the child to access their own.
>>>>>> That however could be worked around in policy, so possibly we could
>>>>>> revive those patches.
>>>>>>
>>>>>> However, I don't think that solves all of the problems. For example,
>>>>>> even with source bounds, I can't allow a child permissions to self
>>>>>> or to
>>>>>> its entrypoint file type or to its tmp file type without allowing
>>>>>> those
>>>>>> permissions to the parent, which may unnecessarily escalate the
>>>>>> privileges of the parent or expose the parent to risk.
>>>>>>
>>>>>> We might need more semantics in the policy about inter-type
>>>>>> relationships in order to truly evaluate bounds in a manner that
>>>>>> permits
>>>>>> such usage. Patches/proposals welcome.
>>>>>>
>>>>>> The other approach would be to use fork()+setcon()+execve() rather
>>>>>> than
>>>>>> fork()+setexeccon()+execve() in the callers. Then you aren't
>>>>>> subject to
>>>>>> typebounds at all (NNP only restricts exec-based transitions).
>>>>> The entrypoints are alot simpler to fix. I think just eliminating the
>>>>> target checks would
>>>>> go along way to making this a lot tighter policy.
>>>>>
>>>>> I have no problem with allowing parent domain access to child domains
>>>>> self fields. I think this
>>>>> make some sense. This seems a lot more secure that allowing any
>>>>> domain
>>>>> that can communicate
>>>>> with the child to be able to communicate with the parent.
>>>>>
>>>>> With the way it works now, I can not even figure out how to
>>>>> increase the
>>>>> privs of unconfined_t or
>>>>> other confined domains to actually make it work.
>>>> Ok, let's assume that we change the libsepol and kernel logic to drop
>>>> the target bounds checks. What else remains to make this work?
>>> Looking at the output from the semodule command, I see some other
>>> strange errors like this.
>>>
>>> (allow docker_t cluster_pid (sock_file (write getattr append open)))
>>>
>>>
>>> I have no idea why it would complain about this. Other then potentially
>>> problems caused by optional policy?
>> $ sesearch -A -s docker_t -t cluster_pid -c sock_file
>> Found 1 semantic av rules:
>> allow daemon cluster_pid : sock_file { write getattr append open } ;
>>
>> $ sesearch -A -s unconfined_t -t cluster_pid -c sock_file
>> <no output>
>>
>> So that is a legitimate violation of the bound and would be denied by
>> the kernel if it were attempted. Either you need to allow it to
>> unconfined_t or tighten up that rule so that docker_t isn't included
>> (why should all daemon domains be allowed to do that?).
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
>>
> allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file
> blk_file } *;
>
> So unless cluster_pid refers to something that is not a file_type, then
> I think unconfined_t can do it.
> No idea why this is allowed.
>
> seinfo -acluster_pid -x
> cluster_pid
> dlm_controld_var_run_t
> fenced_var_run_t
> foghorn_var_run_t
> gfs_controld_var_run_t
> haproxy_var_run_t
> groupd_var_run_t
> qdiskd_var_run_t
> cluster_var_run_t
Hmm...that would appear to be a bug in the libsepol hierarchy checker,
and also in setools3 since it didn't find the match. Just tried
setools4 and it did find the matching rules:
$ ./sesearch -A -s unconfined_t -t cluster_pid -c sock_file
allow domain pidfile:sock_file { write getattr open append };
allow files_unconfined_type file_type:sock_file { rename open execute
execmod setattr read lock create quotaon getattr mounton write
relabelfrom ioctl link relabelto unlink swapon audit_access append };
Yet another reason to switch to setools4...
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 18:36 ` Stephen Smalley
@ 2016-04-29 8:19 ` Miroslav Grepl
2016-04-29 12:21 ` Stephen Smalley
0 siblings, 1 reply; 14+ messages in thread
From: Miroslav Grepl @ 2016-04-29 8:19 UTC (permalink / raw)
To: Stephen Smalley, Daniel J Walsh, James Carter, SELinux,
Joshua Brindle, Paul Moore
On 04/28/2016 08:36 PM, Stephen Smalley wrote:
> On 04/28/2016 02:07 PM, Daniel J Walsh wrote:
>>
>>
>> On 04/28/2016 01:59 PM, Stephen Smalley wrote:
>>> On 04/28/2016 01:35 PM, Daniel J Walsh wrote:
>>>>
>>>> On 04/28/2016 01:31 PM, Stephen Smalley wrote:
>>>>> On 04/28/2016 12:20 PM, Daniel J Walsh wrote:
>>>>>> On 04/28/2016 11:21 AM, Stephen Smalley wrote:
>>>>>>> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>>>>>>>>> typebounds unconfined_t docker_t; # docker_t is an unconfined
>>>>>>>>> domain
>>>>>>>>>
>>>>>>>>> typebounds docker_t spc_t; #spc_t is an unconfined domain
>>>>>>>>>
>>>>>>>>> typeboulds docker_t docker_lxc_net_t;
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> docker, rkt, systemd-nspawn, runc are all executing
>>>>>>>>> setexeccon(svirt_lxc_net_t)
>>>>>>>>>
>>>>>>>>> For container domains.
>>>>>>>>>
>>>>>>>>> Everything works fine until I turn on expand_check in
>>>>>>>>> semanage.conf,
>>>>>>>>> which we have been asked to do in Rawhide.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Attached is the current Rawhide docker policy. And here is the
>>>>>>>>> output
>>>>>>>>> from semodule -i before it crashes, with a segfault.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Had to add this rule to make it a little quieter, which is caused
>>>>>>>>> by a
>>>>>>>>> rule in policy that says we allow all daemons to connecto spc_t;
>>>>>>>>>
>>>>>>>>> gen_require(`
>>>>>>>>> type unconfined_t;
>>>>>>>>> attribute daemon;
>>>>>>>>> ')
>>>>>>>>>
>>>>>>>>> allow daemon unconfined_t:unix_stream_socket connectto;
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Why does typebounds care about when a domain is the target of an
>>>>>>>>> access,
>>>>>>>>> I think it should only remove options when it is the source.
>>>>>>>>>
>>>>>>>>> Otherwise we end up having to loosen the policy to make this work.
>>>>>>>>>
>>>>>>>>> As long as docker_t does not have any more "allow docker_t" rules
>>>>>>>>> then
>>>>>>>>> "allow unconfined_t", shouldn't this be ok?
>>>>>>>>>
>>>>>>>>> It seems that some or the optional code blocks are causing
>>>>>>>>> problems also.
>>>>>>> I agree that typebounds is not very usable in its current form,
>>>>>>> but I'm
>>>>>>> not entirely clear on how to fix it.
>>>>>>>
>>>>>>> Dropping the target bounds logic is possible; it was actually
>>>>>>> implemented a while back by KaiGai (see the archives) but reverted
>>>>>>> because of a side effect on /proc/pid file access. Without the
>>>>>>> target
>>>>>>> bounds logic, you had to allow the parent domain to access all child
>>>>>>> domains' /proc/pid files in order for the child to access their own.
>>>>>>> That however could be worked around in policy, so possibly we could
>>>>>>> revive those patches.
>>>>>>>
>>>>>>> However, I don't think that solves all of the problems. For example,
>>>>>>> even with source bounds, I can't allow a child permissions to self
>>>>>>> or to
>>>>>>> its entrypoint file type or to its tmp file type without allowing
>>>>>>> those
>>>>>>> permissions to the parent, which may unnecessarily escalate the
>>>>>>> privileges of the parent or expose the parent to risk.
>>>>>>>
>>>>>>> We might need more semantics in the policy about inter-type
>>>>>>> relationships in order to truly evaluate bounds in a manner that
>>>>>>> permits
>>>>>>> such usage. Patches/proposals welcome.
>>>>>>>
>>>>>>> The other approach would be to use fork()+setcon()+execve() rather
>>>>>>> than
>>>>>>> fork()+setexeccon()+execve() in the callers. Then you aren't
>>>>>>> subject to
>>>>>>> typebounds at all (NNP only restricts exec-based transitions).
>>>>>> The entrypoints are alot simpler to fix. I think just eliminating the
>>>>>> target checks would
>>>>>> go along way to making this a lot tighter policy.
>>>>>>
>>>>>> I have no problem with allowing parent domain access to child domains
>>>>>> self fields. I think this
>>>>>> make some sense. This seems a lot more secure that allowing any
>>>>>> domain
>>>>>> that can communicate
>>>>>> with the child to be able to communicate with the parent.
>>>>>>
>>>>>> With the way it works now, I can not even figure out how to
>>>>>> increase the
>>>>>> privs of unconfined_t or
>>>>>> other confined domains to actually make it work.
>>>>> Ok, let's assume that we change the libsepol and kernel logic to drop
>>>>> the target bounds checks. What else remains to make this work?
>>>> Looking at the output from the semodule command, I see some other
>>>> strange errors like this.
>>>>
>>>> (allow docker_t cluster_pid (sock_file (write getattr append open)))
>>>>
>>>>
>>>> I have no idea why it would complain about this. Other then potentially
>>>> problems caused by optional policy?
>>> $ sesearch -A -s docker_t -t cluster_pid -c sock_file
>>> Found 1 semantic av rules:
>>> allow daemon cluster_pid : sock_file { write getattr append open } ;
>>>
>>> $ sesearch -A -s unconfined_t -t cluster_pid -c sock_file
>>> <no output>
>>>
>>> So that is a legitimate violation of the bound and would be denied by
>>> the kernel if it were attempted. Either you need to allow it to
>>> unconfined_t or tighten up that rule so that docker_t isn't included
>>> (why should all daemon domains be allowed to do that?).
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
>>> Selinux-request@tycho.nsa.gov.
>>>
>>>
>> allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file
>> blk_file } *;
>>
>> So unless cluster_pid refers to something that is not a file_type, then
>> I think unconfined_t can do it.
>> No idea why this is allowed.
>>
>> seinfo -acluster_pid -x
>> cluster_pid
>> dlm_controld_var_run_t
>> fenced_var_run_t
>> foghorn_var_run_t
>> gfs_controld_var_run_t
>> haproxy_var_run_t
>> groupd_var_run_t
>> qdiskd_var_run_t
>> cluster_var_run_t
>
> Hmm...that would appear to be a bug in the libsepol hierarchy checker,
> and also in setools3 since it didn't find the match. Just tried
> setools4 and it did find the matching rules:
> $ ./sesearch -A -s unconfined_t -t cluster_pid -c sock_file
> allow domain pidfile:sock_file { write getattr open append };
> allow files_unconfined_type file_type:sock_file { rename open execute
> execmod setattr read lock create quotaon getattr mounton write
> relabelfrom ioctl link relabelto unlink swapon audit_access append };
Ok so it is a bug in libsepol as you said because it should work
correctly if we talk about unconfined domains.
cluster_pid refers only to file_type types.
>
> Yet another reason to switch to setools4...
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-29 8:19 ` Miroslav Grepl
@ 2016-04-29 12:21 ` Stephen Smalley
0 siblings, 0 replies; 14+ messages in thread
From: Stephen Smalley @ 2016-04-29 12:21 UTC (permalink / raw)
To: Miroslav Grepl, Daniel J Walsh, James Carter, SELinux,
Joshua Brindle, Paul Moore
On 04/29/2016 04:19 AM, Miroslav Grepl wrote:
> On 04/28/2016 08:36 PM, Stephen Smalley wrote:
>> On 04/28/2016 02:07 PM, Daniel J Walsh wrote:
>>>
>>>
>>> On 04/28/2016 01:59 PM, Stephen Smalley wrote:
>>>> On 04/28/2016 01:35 PM, Daniel J Walsh wrote:
>>>>>
>>>>> On 04/28/2016 01:31 PM, Stephen Smalley wrote:
>>>>>> On 04/28/2016 12:20 PM, Daniel J Walsh wrote:
>>>>>>> On 04/28/2016 11:21 AM, Stephen Smalley wrote:
>>>>>>>> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>>>>>>>>>> typebounds unconfined_t docker_t; # docker_t is an unconfined
>>>>>>>>>> domain
>>>>>>>>>>
>>>>>>>>>> typebounds docker_t spc_t; #spc_t is an unconfined domain
>>>>>>>>>>
>>>>>>>>>> typeboulds docker_t docker_lxc_net_t;
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> docker, rkt, systemd-nspawn, runc are all executing
>>>>>>>>>> setexeccon(svirt_lxc_net_t)
>>>>>>>>>>
>>>>>>>>>> For container domains.
>>>>>>>>>>
>>>>>>>>>> Everything works fine until I turn on expand_check in
>>>>>>>>>> semanage.conf,
>>>>>>>>>> which we have been asked to do in Rawhide.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Attached is the current Rawhide docker policy. And here is the
>>>>>>>>>> output
>>>>>>>>>> from semodule -i before it crashes, with a segfault.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Had to add this rule to make it a little quieter, which is caused
>>>>>>>>>> by a
>>>>>>>>>> rule in policy that says we allow all daemons to connecto spc_t;
>>>>>>>>>>
>>>>>>>>>> gen_require(`
>>>>>>>>>> type unconfined_t;
>>>>>>>>>> attribute daemon;
>>>>>>>>>> ')
>>>>>>>>>>
>>>>>>>>>> allow daemon unconfined_t:unix_stream_socket connectto;
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Why does typebounds care about when a domain is the target of an
>>>>>>>>>> access,
>>>>>>>>>> I think it should only remove options when it is the source.
>>>>>>>>>>
>>>>>>>>>> Otherwise we end up having to loosen the policy to make this work.
>>>>>>>>>>
>>>>>>>>>> As long as docker_t does not have any more "allow docker_t" rules
>>>>>>>>>> then
>>>>>>>>>> "allow unconfined_t", shouldn't this be ok?
>>>>>>>>>>
>>>>>>>>>> It seems that some or the optional code blocks are causing
>>>>>>>>>> problems also.
>>>>>>>> I agree that typebounds is not very usable in its current form,
>>>>>>>> but I'm
>>>>>>>> not entirely clear on how to fix it.
>>>>>>>>
>>>>>>>> Dropping the target bounds logic is possible; it was actually
>>>>>>>> implemented a while back by KaiGai (see the archives) but reverted
>>>>>>>> because of a side effect on /proc/pid file access. Without the
>>>>>>>> target
>>>>>>>> bounds logic, you had to allow the parent domain to access all child
>>>>>>>> domains' /proc/pid files in order for the child to access their own.
>>>>>>>> That however could be worked around in policy, so possibly we could
>>>>>>>> revive those patches.
>>>>>>>>
>>>>>>>> However, I don't think that solves all of the problems. For example,
>>>>>>>> even with source bounds, I can't allow a child permissions to self
>>>>>>>> or to
>>>>>>>> its entrypoint file type or to its tmp file type without allowing
>>>>>>>> those
>>>>>>>> permissions to the parent, which may unnecessarily escalate the
>>>>>>>> privileges of the parent or expose the parent to risk.
>>>>>>>>
>>>>>>>> We might need more semantics in the policy about inter-type
>>>>>>>> relationships in order to truly evaluate bounds in a manner that
>>>>>>>> permits
>>>>>>>> such usage. Patches/proposals welcome.
>>>>>>>>
>>>>>>>> The other approach would be to use fork()+setcon()+execve() rather
>>>>>>>> than
>>>>>>>> fork()+setexeccon()+execve() in the callers. Then you aren't
>>>>>>>> subject to
>>>>>>>> typebounds at all (NNP only restricts exec-based transitions).
>>>>>>> The entrypoints are alot simpler to fix. I think just eliminating the
>>>>>>> target checks would
>>>>>>> go along way to making this a lot tighter policy.
>>>>>>>
>>>>>>> I have no problem with allowing parent domain access to child domains
>>>>>>> self fields. I think this
>>>>>>> make some sense. This seems a lot more secure that allowing any
>>>>>>> domain
>>>>>>> that can communicate
>>>>>>> with the child to be able to communicate with the parent.
>>>>>>>
>>>>>>> With the way it works now, I can not even figure out how to
>>>>>>> increase the
>>>>>>> privs of unconfined_t or
>>>>>>> other confined domains to actually make it work.
>>>>>> Ok, let's assume that we change the libsepol and kernel logic to drop
>>>>>> the target bounds checks. What else remains to make this work?
>>>>> Looking at the output from the semodule command, I see some other
>>>>> strange errors like this.
>>>>>
>>>>> (allow docker_t cluster_pid (sock_file (write getattr append open)))
>>>>>
>>>>>
>>>>> I have no idea why it would complain about this. Other then potentially
>>>>> problems caused by optional policy?
>>>> $ sesearch -A -s docker_t -t cluster_pid -c sock_file
>>>> Found 1 semantic av rules:
>>>> allow daemon cluster_pid : sock_file { write getattr append open } ;
>>>>
>>>> $ sesearch -A -s unconfined_t -t cluster_pid -c sock_file
>>>> <no output>
>>>>
>>>> So that is a legitimate violation of the bound and would be denied by
>>>> the kernel if it were attempted. Either you need to allow it to
>>>> unconfined_t or tighten up that rule so that docker_t isn't included
>>>> (why should all daemon domains be allowed to do that?).
>>>>
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> Selinux@tycho.nsa.gov
>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>> To get help, send an email containing "help" to
>>>> Selinux-request@tycho.nsa.gov.
>>>>
>>>>
>>> allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file
>>> blk_file } *;
>>>
>>> So unless cluster_pid refers to something that is not a file_type, then
>>> I think unconfined_t can do it.
>>> No idea why this is allowed.
>>>
>>> seinfo -acluster_pid -x
>>> cluster_pid
>>> dlm_controld_var_run_t
>>> fenced_var_run_t
>>> foghorn_var_run_t
>>> gfs_controld_var_run_t
>>> haproxy_var_run_t
>>> groupd_var_run_t
>>> qdiskd_var_run_t
>>> cluster_var_run_t
>>
>> Hmm...that would appear to be a bug in the libsepol hierarchy checker,
>> and also in setools3 since it didn't find the match. Just tried
>> setools4 and it did find the matching rules:
>> $ ./sesearch -A -s unconfined_t -t cluster_pid -c sock_file
>> allow domain pidfile:sock_file { write getattr open append };
>> allow files_unconfined_type file_type:sock_file { rename open execute
>> execmod setattr read lock create quotaon getattr mounton write
>> relabelfrom ioctl link relabelto unlink swapon audit_access append };
>
> Ok so it is a bug in libsepol as you said because it should work
> correctly if we talk about unconfined domains.
>
> cluster_pid refers only to file_type types.
Yes, see my patch, "libsepol: fix type bounds checking for attributes"
(not yet pushed upstream).
The seg fault Dan is encountering was also fixed earlier by the series
"libsepol/cil: Fixes to neverallow and bounds checking", which was
already committed upstream.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 15:21 ` Stephen Smalley
2016-04-28 16:20 ` Daniel J Walsh
@ 2016-04-28 16:21 ` Daniel J Walsh
2016-04-29 15:48 ` Stephen Smalley
2 siblings, 0 replies; 14+ messages in thread
From: Daniel J Walsh @ 2016-04-28 16:21 UTC (permalink / raw)
To: Stephen Smalley, James Carter, SELinux, Joshua Brindle,
Paul Moore
On 04/28/2016 11:21 AM, Stephen Smalley wrote:
> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>> typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>>
>> typebounds docker_t spc_t; #spc_t is an unconfined domain
>>
>> typeboulds docker_t docker_lxc_net_t;
>>
>>
>> docker, rkt, systemd-nspawn, runc are all executing
>> setexeccon(svirt_lxc_net_t)
>>
>> For container domains.
>>
>> Everything works fine until I turn on expand_check in semanage.conf,
>> which we have been asked to do in Rawhide.
>>
>>
>> Attached is the current Rawhide docker policy. And here is the output
>> from semodule -i before it crashes, with a segfault.
>>
>>
>> Had to add this rule to make it a little quieter, which is caused by a
>> rule in policy that says we allow all daemons to connecto spc_t;
>>
>> gen_require(`
>> type unconfined_t;
>> attribute daemon;
>> ')
>>
>> allow daemon unconfined_t:unix_stream_socket connectto;
>>
>>
>> Why does typebounds care about when a domain is the target of an access,
>> I think it should only remove options when it is the source.
>>
>> Otherwise we end up having to loosen the policy to make this work.
>>
>> As long as docker_t does not have any more "allow docker_t" rules then
>> "allow unconfined_t", shouldn't this be ok?
>>
>> It seems that some or the optional code blocks are causing problems also.
> I agree that typebounds is not very usable in its current form, but I'm
> not entirely clear on how to fix it.
>
> Dropping the target bounds logic is possible; it was actually
> implemented a while back by KaiGai (see the archives) but reverted
> because of a side effect on /proc/pid file access. Without the target
> bounds logic, you had to allow the parent domain to access all child
> domains' /proc/pid files in order for the child to access their own.
> That however could be worked around in policy, so possibly we could
> revive those patches.
>
> However, I don't think that solves all of the problems. For example,
> even with source bounds, I can't allow a child permissions to self or to
> its entrypoint file type or to its tmp file type without allowing those
> permissions to the parent, which may unnecessarily escalate the
> privileges of the parent or expose the parent to risk.
>
> We might need more semantics in the policy about inter-type
> relationships in order to truly evaluate bounds in a manner that permits
> such usage. Patches/proposals welcome.
>
> The other approach would be to use fork()+setcon()+execve() rather than
> fork()+setexeccon()+execve() in the callers. Then you aren't subject to
> typebounds at all (NNP only restricts exec-based transitions).
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
BTW doing the
fork()+setcon()+execve()
Is very difficult in golang, do to its strange forkexec() symantecs.
fork()+setcon()+execve()
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t
2016-04-28 15:21 ` Stephen Smalley
2016-04-28 16:20 ` Daniel J Walsh
2016-04-28 16:21 ` Daniel J Walsh
@ 2016-04-29 15:48 ` Stephen Smalley
2 siblings, 0 replies; 14+ messages in thread
From: Stephen Smalley @ 2016-04-29 15:48 UTC (permalink / raw)
To: Daniel J Walsh, James Carter, SELinux, Joshua Brindle, Paul Moore
On 04/28/2016 11:21 AM, Stephen Smalley wrote:
> On 04/28/2016 09:15 AM, Daniel J Walsh wrote:
>>
>> typebounds unconfined_t docker_t; # docker_t is an unconfined domain
>>
>> typebounds docker_t spc_t; #spc_t is an unconfined domain
>>
>> typeboulds docker_t docker_lxc_net_t;
>>
>>
>> docker, rkt, systemd-nspawn, runc are all executing
>> setexeccon(svirt_lxc_net_t)
>>
>> For container domains.
>>
>> Everything works fine until I turn on expand_check in semanage.conf,
>> which we have been asked to do in Rawhide.
>>
>>
>> Attached is the current Rawhide docker policy. And here is the output
>> from semodule -i before it crashes, with a segfault.
>>
>>
>> Had to add this rule to make it a little quieter, which is caused by a
>> rule in policy that says we allow all daemons to connecto spc_t;
>>
>> gen_require(`
>> type unconfined_t;
>> attribute daemon;
>> ')
>>
>> allow daemon unconfined_t:unix_stream_socket connectto;
>>
>>
>> Why does typebounds care about when a domain is the target of an access,
>> I think it should only remove options when it is the source.
>>
>> Otherwise we end up having to loosen the policy to make this work.
>>
>> As long as docker_t does not have any more "allow docker_t" rules then
>> "allow unconfined_t", shouldn't this be ok?
>>
>> It seems that some or the optional code blocks are causing problems also.
>
> I agree that typebounds is not very usable in its current form, but I'm
> not entirely clear on how to fix it.
>
> Dropping the target bounds logic is possible; it was actually
> implemented a while back by KaiGai (see the archives) but reverted
> because of a side effect on /proc/pid file access. Without the target
> bounds logic, you had to allow the parent domain to access all child
> domains' /proc/pid files in order for the child to access their own.
> That however could be worked around in policy, so possibly we could
> revive those patches.
>
> However, I don't think that solves all of the problems. For example,
> even with source bounds, I can't allow a child permissions to self or to
> its entrypoint file type or to its tmp file type without allowing those
> permissions to the parent, which may unnecessarily escalate the
> privileges of the parent or expose the parent to risk.
Actually, I think I am wrong about these statements. You can make the
child's entrypoint type a child of the parent's entrypoint type (and
likewise for tmp file types) and then you only need to allow the parent
access to its own entrypoint and tmp types and the kernel will allow the
child access to its types.
>
> We might need more semantics in the policy about inter-type
> relationships in order to truly evaluate bounds in a manner that permits
> such usage. Patches/proposals welcome.
>
> The other approach would be to use fork()+setcon()+execve() rather than
> fork()+setexeccon()+execve() in the callers. Then you aren't subject to
> typebounds at all (NNP only restricts exec-based transitions).
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2016-04-29 15:48 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-28 13:15 Trying to setup a type bounds from unconfined_t and docekr_t to svirt_lxc_net_t Daniel J Walsh
2016-04-28 14:24 ` Dominick Grift
2016-04-28 15:05 ` James Carter
2016-04-28 15:21 ` Stephen Smalley
2016-04-28 16:20 ` Daniel J Walsh
2016-04-28 17:31 ` Stephen Smalley
2016-04-28 17:35 ` Daniel J Walsh
2016-04-28 17:59 ` Stephen Smalley
2016-04-28 18:07 ` Daniel J Walsh
2016-04-28 18:36 ` Stephen Smalley
2016-04-29 8:19 ` Miroslav Grepl
2016-04-29 12:21 ` Stephen Smalley
2016-04-28 16:21 ` Daniel J Walsh
2016-04-29 15:48 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.