* [PATCH] checkpolicy: Allow attribute assignment to attributes
@ 2025-06-23 10:25 Vit Mojzis
2025-06-23 10:56 ` Christian Göttsche
0 siblings, 1 reply; 8+ messages in thread
From: Vit Mojzis @ 2025-06-23 10:25 UTC (permalink / raw)
To: selinux
Allow "typeattribute <attribute> <attribute>" to pass checkpolicy,
since (typeattributeset <attribute> <attribute>) is valid in CIL.
Fixes:
$ cat myattributetest.te
policy_module(attributetest, 1.0.0)
gen_require(`
attribute domain;
')
attribute myattribute;
typeattribute myattribute domain;
$ make -f /usr/share/selinux/devel/Makefile attributetest.pp 2 ↵
Compiling targeted attributetest module
attributetest.te:9:ERROR 'unknown type myattribute' at token ';' on line 3418:
typeattribute myattribute domain;
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
After some simple tests with CIL policies, it seems that attribute
assignment works as expected. Is there a reason checkpolicy does not
recognise it?
$ cat a.cil
(typeattribute a)
(typeattribute b)
(typeattribute c)
(type mytype_t)
(typeattributeset a b)
(typeattributeset b c)
(typeattributeset c mytype_t)
(allow a user_home_t (dir (getattr open search)))
(allow b tmp_t (dir (getattr open search)))
(allow c etc_t (dir (getattr open search)))
$semodule -i a.cil
$sesearch -A -s mytype_t
allow a user_home_t:dir { getattr open search };
allow b tmp_t:dir { getattr open search };
allow c etc_t:dir { getattr open search };
$seinfo -xa a
Type Attributes: 1
attribute a;
mytype_t
checkpolicy/policy_define.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 4e0ddcc6..be788e8e 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1440,7 +1440,7 @@ int define_typeattribute(void)
return -1;
}
t = hashtab_search(policydbp->p_types.table, id);
- if (!t || t->flavor == TYPE_ATTRIB) {
+ if (!t) {
yyerror2("unknown type %s", id);
free(id);
return -1;
--
2.49.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] checkpolicy: Allow attribute assignment to attributes
2025-06-23 10:25 [PATCH] checkpolicy: Allow attribute assignment to attributes Vit Mojzis
@ 2025-06-23 10:56 ` Christian Göttsche
2025-06-23 11:28 ` Vit Mojzis
0 siblings, 1 reply; 8+ messages in thread
From: Christian Göttsche @ 2025-06-23 10:56 UTC (permalink / raw)
To: Vit Mojzis; +Cc: selinux
Jun 23, 2025 12:27:47 Vit Mojzis <vmojzis@redhat.com>:
> Allow "typeattribute <attribute> <attribute>" to pass checkpolicy,
> since (typeattributeset <attribute> <attribute>) is valid in CIL.
>
> Fixes:
> $ cat myattributetest.te
> policy_module(attributetest, 1.0.0)
>
> gen_require(`
> attribute domain;
> ')
>
> attribute myattribute;
>
> typeattribute myattribute domain;
>
> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp 2 ↵
> Compiling targeted attributetest module
> attributetest.te:9:ERROR 'unknown type myattribute' at token ';' on line 3418:
> typeattribute myattribute domain;
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
> After some simple tests with CIL policies, it seems that attribute
> assignment works as expected. Is there a reason checkpolicy does not
> recognise it?
Did you test that all types associated with myattribute are the also associated with domain?
>
> $ cat a.cil
> (typeattribute a)
> (typeattribute b)
> (typeattribute c)
> (type mytype_t)
> (typeattributeset a b)
> (typeattributeset b c)
> (typeattributeset c mytype_t)
> (allow a user_home_t (dir (getattr open search)))
> (allow b tmp_t (dir (getattr open search)))
> (allow c etc_t (dir (getattr open search)))
>
> $semodule -i a.cil
>
> $sesearch -A -s mytype_t
> allow a user_home_t:dir { getattr open search };
> allow b tmp_t:dir { getattr open search };
> allow c etc_t:dir { getattr open search };
>
> $seinfo -xa a
>
> Type Attributes: 1
> attribute a;
> mytype_t
>
>
> checkpolicy/policy_define.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 4e0ddcc6..be788e8e 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1440,7 +1440,7 @@ int define_typeattribute(void)
> return -1;
> }
> t = hashtab_search(policydbp->p_types.table, id);
> - if (!t || t->flavor == TYPE_ATTRIB) {
> + if (!t) {
> yyerror2("unknown type %s", id);
> free(id);
> return -1;
> --
> 2.49.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] checkpolicy: Allow attribute assignment to attributes
2025-06-23 10:56 ` Christian Göttsche
@ 2025-06-23 11:28 ` Vit Mojzis
2025-06-23 18:06 ` James Carter
0 siblings, 1 reply; 8+ messages in thread
From: Vit Mojzis @ 2025-06-23 11:28 UTC (permalink / raw)
To: Christian Göttsche; +Cc: selinux
On 6/23/25 12:56 PM, Christian Göttsche wrote:
> Jun 23, 2025 12:27:47 Vit Mojzis <vmojzis@redhat.com>:
>
>> Allow "typeattribute <attribute> <attribute>" to pass checkpolicy,
>> since (typeattributeset <attribute> <attribute>) is valid in CIL.
>>
>> Fixes:
>> $ cat myattributetest.te
>> policy_module(attributetest, 1.0.0)
>>
>> gen_require(`
>> attribute domain;
>> ')
>>
>> attribute myattribute;
>>
>> typeattribute myattribute domain;
>>
>> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp 2 ↵
>> Compiling targeted attributetest module
>> attributetest.te:9:ERROR 'unknown type myattribute' at token ';' on line 3418:
>> typeattribute myattribute domain;
>>
>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>> ---
>> After some simple tests with CIL policies, it seems that attribute
>> assignment works as expected. Is there a reason checkpolicy does not
>> recognise it?
> Did you test that all types associated with myattribute are the also associated with domain?
>
Yes, also please see the more complex example below (mytype_t is part of
"a", "b" and "c" after being assigned to "c").
As for the "domain" example:
$ cat typeattribute.te
policy_module(attributetest, 1.0.0)
gen_require(`
attribute domain;
')
attribute myattribute;
typeattribute myattribute domain;
type mytype_t;
typeattribute mytype_t myattribute;
$ make -f /usr/share/selinux/devel/Makefile attributetest.pp
Compiling targeted attributetest module
Creating targeted attributetest.pp policy package
rm tmp/attributetest.mod.fc tmp/attributetest.mod
$ /usr/libexec/selinux/hll/pp < attributetest.pp > attributetest.cil
$ cat attributetest.cil
(typeattribute myattribute)
(typeattributeset myattribute (mytype_t ))
(type mytype_t)
(roletype object_r mytype_t)
(roleattributeset cil_gen_require system_r)
(typeattributeset cil_gen_require domain)
(typeattributeset domain (myattribute ))
$ semodule -i attributetest.pp
$ seinfo -xa domain | grep mytype
mytype_t
I also tested the functionality on a combination of multiple attributes
from container module and all seems to work fine (at least as long as we
can trust "seinfo" and "sesearch"). CIL is not even complaining about a
mixed assignements that result in some interface calls on attributes
(e.g. kernel_read_all_proc(container_t_domain) -> (typeattributeset
can_dump_kernel (container_runtime_t container_t container_t_domain
container_userns_t container_logreader_t container_logwriter_t
container_kvm_t container_init_t container_engine_t container_device_t
container_device_plugin_t container_device_plugin_init_t ))). In
combination with "typeattribute mycontainer_t container_t_domain;" this
also works as expected:
$ seinfo -xa can_dump_kernel | grep mycontainer_t
mycontainer_t
It is by no means a complete test. I was hoping someone here would be
more familiar with attribute assignment and would let me know why it's
not allowed or that it is just an oversight.
Vit
>> $ cat a.cil
>> (typeattribute a)
>> (typeattribute b)
>> (typeattribute c)
>> (type mytype_t)
>> (typeattributeset a b)
>> (typeattributeset b c)
>> (typeattributeset c mytype_t)
>> (allow a user_home_t (dir (getattr open search)))
>> (allow b tmp_t (dir (getattr open search)))
>> (allow c etc_t (dir (getattr open search)))
>>
>> $semodule -i a.cil
>>
>> $sesearch -A -s mytype_t
>> allow a user_home_t:dir { getattr open search };
>> allow b tmp_t:dir { getattr open search };
>> allow c etc_t:dir { getattr open search };
>>
>> $seinfo -xa a
>>
>> Type Attributes: 1
>> attribute a;
>> mytype_t
>>
>>
>> checkpolicy/policy_define.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
>> index 4e0ddcc6..be788e8e 100644
>> --- a/checkpolicy/policy_define.c
>> +++ b/checkpolicy/policy_define.c
>> @@ -1440,7 +1440,7 @@ int define_typeattribute(void)
>> return -1;
>> }
>> t = hashtab_search(policydbp->p_types.table, id);
>> - if (!t || t->flavor == TYPE_ATTRIB) {
>> + if (!t) {
>> yyerror2("unknown type %s", id);
>> free(id);
>> return -1;
>> --
>> 2.49.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] checkpolicy: Allow attribute assignment to attributes
2025-06-23 11:28 ` Vit Mojzis
@ 2025-06-23 18:06 ` James Carter
2025-06-23 18:21 ` James Carter
0 siblings, 1 reply; 8+ messages in thread
From: James Carter @ 2025-06-23 18:06 UTC (permalink / raw)
To: Vit Mojzis; +Cc: Christian Göttsche, selinux
On Mon, Jun 23, 2025 at 7:34 AM Vit Mojzis <vmojzis@redhat.com> wrote:
>
>
>
> On 6/23/25 12:56 PM, Christian Göttsche wrote:
> > Jun 23, 2025 12:27:47 Vit Mojzis <vmojzis@redhat.com>:
> >
> >> Allow "typeattribute <attribute> <attribute>" to pass checkpolicy,
> >> since (typeattributeset <attribute> <attribute>) is valid in CIL.
> >>
> >> Fixes:
> >> $ cat myattributetest.te
> >> policy_module(attributetest, 1.0.0)
> >>
> >> gen_require(`
> >> attribute domain;
> >> ')
> >>
> >> attribute myattribute;
> >>
> >> typeattribute myattribute domain;
> >>
> >> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp 2 ↵
> >> Compiling targeted attributetest module
> >> attributetest.te:9:ERROR 'unknown type myattribute' at token ';' on line 3418:
> >> typeattribute myattribute domain;
> >>
> >> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> >> ---
> >> After some simple tests with CIL policies, it seems that attribute
> >> assignment works as expected. Is there a reason checkpolicy does not
> >> recognise it?
> > Did you test that all types associated with myattribute are the also associated with domain?
> >
> Yes, also please see the more complex example below (mytype_t is part of
> "a", "b" and "c" after being assigned to "c").
> As for the "domain" example:
>
> $ cat typeattribute.te
> policy_module(attributetest, 1.0.0)
>
> gen_require(`
> attribute domain;
> ')
>
> attribute myattribute;
>
> typeattribute myattribute domain;
>
> type mytype_t;
>
> typeattribute mytype_t myattribute;
>
> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp
> Compiling targeted attributetest module
> Creating targeted attributetest.pp policy package
> rm tmp/attributetest.mod.fc tmp/attributetest.mod
>
> $ /usr/libexec/selinux/hll/pp < attributetest.pp > attributetest.cil
> $ cat attributetest.cil
> (typeattribute myattribute)
> (typeattributeset myattribute (mytype_t ))
> (type mytype_t)
> (roletype object_r mytype_t)
> (roleattributeset cil_gen_require system_r)
> (typeattributeset cil_gen_require domain)
> (typeattributeset domain (myattribute ))
>
> $ semodule -i attributetest.pp
> $ seinfo -xa domain | grep mytype
> mytype_t
>
> I also tested the functionality on a combination of multiple attributes
> from container module and all seems to work fine (at least as long as we
> can trust "seinfo" and "sesearch"). CIL is not even complaining about a
> mixed assignements that result in some interface calls on attributes
> (e.g. kernel_read_all_proc(container_t_domain) -> (typeattributeset
> can_dump_kernel (container_runtime_t container_t container_t_domain
> container_userns_t container_logreader_t container_logwriter_t
> container_kvm_t container_init_t container_engine_t container_device_t
> container_device_plugin_t container_device_plugin_init_t ))). In
> combination with "typeattribute mycontainer_t container_t_domain;" this
> also works as expected:
> $ seinfo -xa can_dump_kernel | grep mycontainer_t
> mycontainer_t
>
> It is by no means a complete test. I was hoping someone here would be
> more familiar with attribute assignment and would let me know why it's
> not allowed or that it is just an oversight.
>
I don't think the kernel supports attributes being assigned to attributes.
For CIL to support typeattributesets, it expands all attributes when
it evaluates the set.
I think what is happening is that binary format unintentionally
handles attributes being assigned to attributes (even though that was
never intended) and since CIL is creating the final binary policy for
the kernel all the attributes in an attribute get expanded.
It might actually be possible to start allowing this, but I would want
to test more to make sure.
This is definitely an interesting finding!
Thanks,
Jim
> Vit
>
> >> $ cat a.cil
> >> (typeattribute a)
> >> (typeattribute b)
> >> (typeattribute c)
> >> (type mytype_t)
> >> (typeattributeset a b)
> >> (typeattributeset b c)
> >> (typeattributeset c mytype_t)
> >> (allow a user_home_t (dir (getattr open search)))
> >> (allow b tmp_t (dir (getattr open search)))
> >> (allow c etc_t (dir (getattr open search)))
> >>
> >> $semodule -i a.cil
> >>
> >> $sesearch -A -s mytype_t
> >> allow a user_home_t:dir { getattr open search };
> >> allow b tmp_t:dir { getattr open search };
> >> allow c etc_t:dir { getattr open search };
> >>
> >> $seinfo -xa a
> >>
> >> Type Attributes: 1
> >> attribute a;
> >> mytype_t
> >>
> >>
> >> checkpolicy/policy_define.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> >> index 4e0ddcc6..be788e8e 100644
> >> --- a/checkpolicy/policy_define.c
> >> +++ b/checkpolicy/policy_define.c
> >> @@ -1440,7 +1440,7 @@ int define_typeattribute(void)
> >> return -1;
> >> }
> >> t = hashtab_search(policydbp->p_types.table, id);
> >> - if (!t || t->flavor == TYPE_ATTRIB) {
> >> + if (!t) {
> >> yyerror2("unknown type %s", id);
> >> free(id);
> >> return -1;
> >> --
> >> 2.49.0
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] checkpolicy: Allow attribute assignment to attributes
2025-06-23 18:06 ` James Carter
@ 2025-06-23 18:21 ` James Carter
2025-06-23 19:24 ` Vit Mojzis
0 siblings, 1 reply; 8+ messages in thread
From: James Carter @ 2025-06-23 18:21 UTC (permalink / raw)
To: Vit Mojzis; +Cc: Christian Göttsche, selinux
On Mon, Jun 23, 2025 at 2:06 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, Jun 23, 2025 at 7:34 AM Vit Mojzis <vmojzis@redhat.com> wrote:
> >
> >
> >
> > On 6/23/25 12:56 PM, Christian Göttsche wrote:
> > > Jun 23, 2025 12:27:47 Vit Mojzis <vmojzis@redhat.com>:
> > >
> > >> Allow "typeattribute <attribute> <attribute>" to pass checkpolicy,
> > >> since (typeattributeset <attribute> <attribute>) is valid in CIL.
> > >>
> > >> Fixes:
> > >> $ cat myattributetest.te
> > >> policy_module(attributetest, 1.0.0)
> > >>
> > >> gen_require(`
> > >> attribute domain;
> > >> ')
> > >>
> > >> attribute myattribute;
> > >>
> > >> typeattribute myattribute domain;
> > >>
> > >> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp 2 ↵
> > >> Compiling targeted attributetest module
> > >> attributetest.te:9:ERROR 'unknown type myattribute' at token ';' on line 3418:
> > >> typeattribute myattribute domain;
> > >>
> > >> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> > >> ---
> > >> After some simple tests with CIL policies, it seems that attribute
> > >> assignment works as expected. Is there a reason checkpolicy does not
> > >> recognise it?
> > > Did you test that all types associated with myattribute are the also associated with domain?
> > >
> > Yes, also please see the more complex example below (mytype_t is part of
> > "a", "b" and "c" after being assigned to "c").
> > As for the "domain" example:
> >
> > $ cat typeattribute.te
> > policy_module(attributetest, 1.0.0)
> >
> > gen_require(`
> > attribute domain;
> > ')
> >
> > attribute myattribute;
> >
> > typeattribute myattribute domain;
> >
> > type mytype_t;
> >
> > typeattribute mytype_t myattribute;
> >
> > $ make -f /usr/share/selinux/devel/Makefile attributetest.pp
> > Compiling targeted attributetest module
> > Creating targeted attributetest.pp policy package
> > rm tmp/attributetest.mod.fc tmp/attributetest.mod
> >
> > $ /usr/libexec/selinux/hll/pp < attributetest.pp > attributetest.cil
> > $ cat attributetest.cil
> > (typeattribute myattribute)
> > (typeattributeset myattribute (mytype_t ))
> > (type mytype_t)
> > (roletype object_r mytype_t)
> > (roleattributeset cil_gen_require system_r)
> > (typeattributeset cil_gen_require domain)
> > (typeattributeset domain (myattribute ))
> >
> > $ semodule -i attributetest.pp
> > $ seinfo -xa domain | grep mytype
> > mytype_t
> >
> > I also tested the functionality on a combination of multiple attributes
> > from container module and all seems to work fine (at least as long as we
> > can trust "seinfo" and "sesearch"). CIL is not even complaining about a
> > mixed assignements that result in some interface calls on attributes
> > (e.g. kernel_read_all_proc(container_t_domain) -> (typeattributeset
> > can_dump_kernel (container_runtime_t container_t container_t_domain
> > container_userns_t container_logreader_t container_logwriter_t
> > container_kvm_t container_init_t container_engine_t container_device_t
> > container_device_plugin_t container_device_plugin_init_t ))). In
> > combination with "typeattribute mycontainer_t container_t_domain;" this
> > also works as expected:
> > $ seinfo -xa can_dump_kernel | grep mycontainer_t
> > mycontainer_t
> >
> > It is by no means a complete test. I was hoping someone here would be
> > more familiar with attribute assignment and would let me know why it's
> > not allowed or that it is just an oversight.
> >
>
> I don't think the kernel supports attributes being assigned to attributes.
> For CIL to support typeattributesets, it expands all attributes when
> it evaluates the set.
>
> I think what is happening is that binary format unintentionally
> handles attributes being assigned to attributes (even though that was
> never intended) and since CIL is creating the final binary policy for
> the kernel all the attributes in an attribute get expanded.
> It might actually be possible to start allowing this, but I would want
> to test more to make sure.
I just realized that the fatal flaw in this is that the kernel binary
policy produced by checkpolicy will not work (if I am correct that the
kernel will not properly handle attributes having attributes and even
if it does there could be severe performance issues).
Jim
>
> This is definitely an interesting finding!
>
> Thanks,
> Jim
>
> > Vit
> >
> > >> $ cat a.cil
> > >> (typeattribute a)
> > >> (typeattribute b)
> > >> (typeattribute c)
> > >> (type mytype_t)
> > >> (typeattributeset a b)
> > >> (typeattributeset b c)
> > >> (typeattributeset c mytype_t)
> > >> (allow a user_home_t (dir (getattr open search)))
> > >> (allow b tmp_t (dir (getattr open search)))
> > >> (allow c etc_t (dir (getattr open search)))
> > >>
> > >> $semodule -i a.cil
> > >>
> > >> $sesearch -A -s mytype_t
> > >> allow a user_home_t:dir { getattr open search };
> > >> allow b tmp_t:dir { getattr open search };
> > >> allow c etc_t:dir { getattr open search };
> > >>
> > >> $seinfo -xa a
> > >>
> > >> Type Attributes: 1
> > >> attribute a;
> > >> mytype_t
> > >>
> > >>
> > >> checkpolicy/policy_define.c | 2 +-
> > >> 1 file changed, 1 insertion(+), 1 deletion(-)
> > >>
> > >> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> > >> index 4e0ddcc6..be788e8e 100644
> > >> --- a/checkpolicy/policy_define.c
> > >> +++ b/checkpolicy/policy_define.c
> > >> @@ -1440,7 +1440,7 @@ int define_typeattribute(void)
> > >> return -1;
> > >> }
> > >> t = hashtab_search(policydbp->p_types.table, id);
> > >> - if (!t || t->flavor == TYPE_ATTRIB) {
> > >> + if (!t) {
> > >> yyerror2("unknown type %s", id);
> > >> free(id);
> > >> return -1;
> > >> --
> > >> 2.49.0
> >
> >
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] checkpolicy: Allow attribute assignment to attributes
2025-06-23 18:21 ` James Carter
@ 2025-06-23 19:24 ` Vit Mojzis
2025-07-16 14:16 ` [PATCH] secilc: Add test for " Vit Mojzis
0 siblings, 1 reply; 8+ messages in thread
From: Vit Mojzis @ 2025-06-23 19:24 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 6571 bytes --]
On 6/23/25 8:21 PM, James Carter wrote:
> On Mon, Jun 23, 2025 at 2:06 PM James Carter <jwcart2@gmail.com> wrote:
>>
>> On Mon, Jun 23, 2025 at 7:34 AM Vit Mojzis <vmojzis@redhat.com> wrote:
>>>
>>>
>>>
>>> On 6/23/25 12:56 PM, Christian Göttsche wrote:
>>>> Jun 23, 2025 12:27:47 Vit Mojzis <vmojzis@redhat.com>:
>>>>
>>>>> Allow "typeattribute <attribute> <attribute>" to pass checkpolicy,
>>>>> since (typeattributeset <attribute> <attribute>) is valid in CIL.
>>>>>
>>>>> Fixes:
>>>>> $ cat myattributetest.te
>>>>> policy_module(attributetest, 1.0.0)
>>>>>
>>>>> gen_require(`
>>>>> attribute domain;
>>>>> ')
>>>>>
>>>>> attribute myattribute;
>>>>>
>>>>> typeattribute myattribute domain;
>>>>>
>>>>> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp 2 ↵
>>>>> Compiling targeted attributetest module
>>>>> attributetest.te:9:ERROR 'unknown type myattribute' at token ';' on line 3418:
>>>>> typeattribute myattribute domain;
>>>>>
>>>>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>>>>> ---
>>>>> After some simple tests with CIL policies, it seems that attribute
>>>>> assignment works as expected. Is there a reason checkpolicy does not
>>>>> recognise it?
>>>> Did you test that all types associated with myattribute are the also associated with domain?
>>>>
>>> Yes, also please see the more complex example below (mytype_t is part of
>>> "a", "b" and "c" after being assigned to "c").
>>> As for the "domain" example:
>>>
>>> $ cat typeattribute.te
>>> policy_module(attributetest, 1.0.0)
>>>
>>> gen_require(`
>>> attribute domain;
>>> ')
>>>
>>> attribute myattribute;
>>>
>>> typeattribute myattribute domain;
>>>
>>> type mytype_t;
>>>
>>> typeattribute mytype_t myattribute;
>>>
>>> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp
>>> Compiling targeted attributetest module
>>> Creating targeted attributetest.pp policy package
>>> rm tmp/attributetest.mod.fc tmp/attributetest.mod
>>>
>>> $ /usr/libexec/selinux/hll/pp < attributetest.pp > attributetest.cil
>>> $ cat attributetest.cil
>>> (typeattribute myattribute)
>>> (typeattributeset myattribute (mytype_t ))
>>> (type mytype_t)
>>> (roletype object_r mytype_t)
>>> (roleattributeset cil_gen_require system_r)
>>> (typeattributeset cil_gen_require domain)
>>> (typeattributeset domain (myattribute ))
>>>
>>> $ semodule -i attributetest.pp
>>> $ seinfo -xa domain | grep mytype
>>> mytype_t
>>>
>>> I also tested the functionality on a combination of multiple attributes
>>> from container module and all seems to work fine (at least as long as we
>>> can trust "seinfo" and "sesearch"). CIL is not even complaining about a
>>> mixed assignements that result in some interface calls on attributes
>>> (e.g. kernel_read_all_proc(container_t_domain) -> (typeattributeset
>>> can_dump_kernel (container_runtime_t container_t container_t_domain
>>> container_userns_t container_logreader_t container_logwriter_t
>>> container_kvm_t container_init_t container_engine_t container_device_t
>>> container_device_plugin_t container_device_plugin_init_t ))). In
>>> combination with "typeattribute mycontainer_t container_t_domain;" this
>>> also works as expected:
>>> $ seinfo -xa can_dump_kernel | grep mycontainer_t
>>> mycontainer_t
>>>
>>> It is by no means a complete test. I was hoping someone here would be
>>> more familiar with attribute assignment and would let me know why it's
>>> not allowed or that it is just an oversight.
>>>
>>
>> I don't think the kernel supports attributes being assigned to attributes.
>> For CIL to support typeattributesets, it expands all attributes when
>> it evaluates the set.
>>
>> I think what is happening is that binary format unintentionally
>> handles attributes being assigned to attributes (even though that was
>> never intended) and since CIL is creating the final binary policy for
>> the kernel all the attributes in an attribute get expanded.
>> It might actually be possible to start allowing this, but I would want
>> to test more to make sure.
>
> I just realized that the fatal flaw in this is that the kernel binary
> policy produced by checkpolicy will not work (if I am correct that the
> kernel will not properly handle attributes having attributes and even
> if it does there could be severe performance issues).
> Jim
>
Thank you for the analysis. Does that mean that I need to test that the
access is actually allowed? Is there some simple way to measure
performance (or are there other side effects I can watch for instead)?
I just tried replacing all the rules assigned to container_t with
container_t_doman attribute
https://github.com/vmojzis/container-selinux/commit/3645ca555ed5b5aacbd64e300522cfc6e2fbc493
and a comparison of sesearch outputs matched between original
container_t and mycontainer_t that was assigned to the new attribute
(outputs attached). So even complex policy constructs seem to at least
transfer to CIL properly.
Thank you.
Vit
>
>>
>> This is definitely an interesting finding!
>>
>> Thanks,
>> Jim
>>
>>> Vit
>>>
>>>>> $ cat a.cil
>>>>> (typeattribute a)
>>>>> (typeattribute b)
>>>>> (typeattribute c)
>>>>> (type mytype_t)
>>>>> (typeattributeset a b)
>>>>> (typeattributeset b c)
>>>>> (typeattributeset c mytype_t)
>>>>> (allow a user_home_t (dir (getattr open search)))
>>>>> (allow b tmp_t (dir (getattr open search)))
>>>>> (allow c etc_t (dir (getattr open search)))
>>>>>
>>>>> $semodule -i a.cil
>>>>>
>>>>> $sesearch -A -s mytype_t
>>>>> allow a user_home_t:dir { getattr open search };
>>>>> allow b tmp_t:dir { getattr open search };
>>>>> allow c etc_t:dir { getattr open search };
>>>>>
>>>>> $seinfo -xa a
>>>>>
>>>>> Type Attributes: 1
>>>>> attribute a;
>>>>> mytype_t
>>>>>
>>>>>
>>>>> checkpolicy/policy_define.c | 2 +-
>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
>>>>> index 4e0ddcc6..be788e8e 100644
>>>>> --- a/checkpolicy/policy_define.c
>>>>> +++ b/checkpolicy/policy_define.c
>>>>> @@ -1440,7 +1440,7 @@ int define_typeattribute(void)
>>>>> return -1;
>>>>> }
>>>>> t = hashtab_search(policydbp->p_types.table, id);
>>>>> - if (!t || t->flavor == TYPE_ATTRIB) {
>>>>> + if (!t) {
>>>>> yyerror2("unknown type %s", id);
>>>>> free(id);
>>>>> return -1;
>>>>> --
>>>>> 2.49.0
>>>
>>>
[-- Attachment #2: container.rules --]
[-- Type: text/plain, Size: 72762 bytes --]
$ sesearch -A -s container_t
allow container_domain bpf_t:dir { add_name ioctl lock read remove_name write };
allow container_domain bpf_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_domain cert_type:dir { ioctl lock read }; [ container_read_certs ]:True
allow container_domain cert_type:file { getattr ioctl lock open read }; [ container_read_certs ]:True
allow container_domain cert_type:lnk_file { getattr read }; [ container_read_certs ]:True
allow container_domain cgroup_t:dir { create link rename reparent rmdir setattr unlink watch watch_reads }; [ container_manage_cgroup ]:True
allow container_domain cgroup_t:dir { ioctl lock mounton read };
allow container_domain cgroup_t:filesystem unmount;
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { append create link rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { getattr ioctl lock open read };
allow container_domain cgroup_type:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:lnk_file { getattr read };
allow container_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow container_domain cifs_t:file execmod; [ virt_use_samba ]:True
allow container_domain cifs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_samba ]:True
allow container_domain cifs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow container_domain console_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain container_devpts_t:chr_file open;
allow container_domain container_file_t:file entrypoint;
allow container_domain container_ro_file_t:dir { ioctl lock read };
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_ro_file_t:lnk_file { getattr read };
allow container_domain container_runtime_domain:alg_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:appletalk_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmpvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmsvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ax25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:bluetooth_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:caif_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:can_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:dccp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:decnet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:fd use;
allow container_domain container_runtime_domain:icmp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ieee802154_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ipx_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:irda_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:isdn_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:iucv_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:kcm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:llc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:mctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_audit_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_connector_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_crypto_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_dnrt_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_firewall_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_generic_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_iscsi_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_netfilter_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_nflog_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_rdma_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_route_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_selinux_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_xfrm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netrom_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:nfc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:packet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:phonet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:pppox_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:process sigchld;
allow container_domain container_runtime_domain:qipcrtr_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rawip_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rds_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rose_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rxrpc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:sctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:smc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tcp_socket { accept append getattr getopt ioctl lock map read recv_msg send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tipc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tun_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom relabelfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:udp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_dgram_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_stream_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:vsock_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:x25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:xdp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_tmpfs_t:dir mounton;
allow container_domain container_runtime_tmpfs_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow container_domain container_var_lib_t:file entrypoint;
allow container_domain device_node:blk_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain device_node:chr_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain devpts_t:chr_file { append getattr ioctl lock read write };
allow container_domain dri_device_t:chr_file map; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file open; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ecryptfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file execmod; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain file_type:dir { getattr open search };
allow container_domain file_type:filesystem getattr;
allow container_domain filesystem_type:filesystem getattr;
allow container_domain fs_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { getattr open search }; [ container_use_cephfs ]:True
allow container_domain fs_t:file execmod; [ container_use_cephfs ]:True
allow container_domain fs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_cephfs ]:True
allow container_domain fs_t:filesystem { mount remount unmount };
allow container_domain fs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fuse_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain fusefs_t:dir { add_name create ioctl link lock mounton read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow container_domain fusefs_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:filesystem { mount remount unmount };
allow container_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain gssproxy_t:unix_stream_socket connectto;
allow container_domain gssproxy_var_lib_t:sock_file { append getattr open write };
allow container_domain gssproxy_var_run_t:sock_file { append getattr open write };
allow container_domain hugetlbfs_t:dir { add_name ioctl lock read remove_name write };
allow container_domain hugetlbfs_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };
allow container_domain init_t:alg_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:appletalk_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmpvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmsvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ax25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:bluetooth_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:caif_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:can_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:dccp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:decnet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:icmp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ieee802154_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ipx_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:irda_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:isdn_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:iucv_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:kcm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:llc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:mctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_audit_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_connector_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_crypto_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_dnrt_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_firewall_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_generic_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_iscsi_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_netfilter_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_nflog_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_rdma_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_route_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_selinux_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_xfrm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netrom_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:nfc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:packet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:phonet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:pppox_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:qipcrtr_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rawip_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rds_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rose_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rxrpc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:sctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:smc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tcp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tipc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tun_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:udp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_dgram_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_stream_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:vsock_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:x25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:xdp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain kernel_t:system ipc_info;
allow container_domain kvm_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain modules_object_t:dir { ioctl lock read };
allow container_domain modules_object_t:file { getattr ioctl lock open read };
allow container_domain modules_object_t:lnk_file { getattr read };
allow container_domain mtrr_device_t:chr_file { getattr ioctl lock open read };
allow container_domain mtrr_device_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:dir { ioctl lock read };
allow container_domain net_conf_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:lnk_file { getattr read };
allow container_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file execmod; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow container_domain nfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow container_domain nsfs_t:file { getattr ioctl lock open read };
allow container_domain nsfs_t:filesystem unmount;
allow container_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow container_domain proc_net_t:file { ioctl lock open read };
allow container_domain proc_net_t:lnk_file { getattr read };
allow container_domain proc_type:dir { getattr ioctl lock mounton open read search };
allow container_domain proc_type:file { getattr mounton };
allow container_domain ptynode:chr_file { append getattr ioctl lock read write };
allow container_domain random_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain rpm_var_cache_t:dir { ioctl lock read };
allow container_domain rpm_var_cache_t:file { getattr ioctl lock open read };
allow container_domain rpm_var_cache_t:lnk_file { getattr read };
allow container_domain rpm_var_lib_t:dir { ioctl lock read };
allow container_domain rpm_var_lib_t:file { getattr ioctl lock map open read };
allow container_domain rpm_var_lib_t:lnk_file { getattr read };
allow container_domain spc_t:unix_stream_socket { read write };
allow container_domain sssd_t:unix_stream_socket connectto;
allow container_domain sssd_var_lib_t:sock_file { append getattr open write };
allow container_domain sysctl_kernel_ns_last_pid_t:file { append write };
allow container_domain sysctl_net_t:file { append write };
allow container_domain sysctl_net_t:lnk_file { getattr read };
allow container_domain sysctl_net_unix_t:file { append write };
allow container_domain sysctl_rpc_t:file { append write };
allow container_domain sysctl_type:dir { getattr ioctl lock open read search };
allow container_domain sysctl_type:file { getattr ioctl lock open read };
allow container_domain sysfs_t:dir { ioctl lock read watch };
allow container_domain sysfs_t:file { getattr ioctl lock open read };
allow container_domain sysfs_t:lnk_file { getattr read };
allow container_domain systemd_logind_t:dbus send_msg;
allow container_domain systemd_logind_t:fd use;
allow container_domain tmpfs_t:file { append getattr ioctl lock read write };
allow container_domain tmpfs_t:filesystem { mount unmount };
allow container_domain tmpfs_t:lnk_file { getattr read };
allow container_domain tty_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ttynode:chr_file { append getattr ioctl lock read write };
allow container_domain unconfined_domain_type:fifo_file { append getattr ioctl lock map open read write };
allow container_domain urandom_device_t:chr_file { append write };
allow container_domain user_devpts_t:chr_file open;
allow container_domain userdomain:alg_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:appletalk_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmpvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmsvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ax25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:bluetooth_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:caif_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:can_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:dccp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:decnet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:fifo_file { append getattr ioctl lock read write };
allow container_domain userdomain:icmp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ieee802154_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ipx_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:irda_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:isdn_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:iucv_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:kcm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:llc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:mctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_audit_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_connector_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_crypto_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_dnrt_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_firewall_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_generic_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_iscsi_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_netfilter_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_nflog_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_rdma_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_route_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_selinux_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_xfrm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netrom_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:nfc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:packet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:phonet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:pppox_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:qipcrtr_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rawip_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rds_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rose_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rxrpc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:sctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:smc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tcp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tipc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tun_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:udp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_dgram_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_stream_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:vsock_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:x25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:xdp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain zero_device_t:chr_file execute;
allow container_net_domain node_t:rawip_socket node_bind;
allow container_net_domain node_t:tcp_socket node_bind;
allow container_net_domain node_t:udp_socket node_bind;
allow container_net_domain port_type:sctp_socket { name_bind name_connect };
allow container_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow container_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow container_t container_file_t:blk_file { map relabelfrom relabelto };
allow container_t container_file_t:chr_file { execute map relabelfrom relabelto watch watch_reads };
allow container_t container_file_t:dir map;
allow container_t container_file_t:fifo_file { map relabelfrom relabelto };
allow container_t container_file_t:filesystem { mount unmount };
allow container_t container_file_t:lnk_file { map relabelfrom relabelto };
allow container_t container_file_t:sock_file { map relabelfrom relabelto };
allow container_t container_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:association sendto;
allow container_t container_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow container_t container_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow container_t container_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow container_t container_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:dir { getattr ioctl lock open read search watch };
allow container_t container_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_t container_t:file { append getattr ioctl lock open read write };
allow container_t container_t:filesystem associate;
allow container_t container_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:key { create read setattr view write };
allow container_t container_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:lnk_file { getattr ioctl lock open read setattr };
allow container_t container_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:msg { receive send };
allow container_t container_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow container_t container_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow container_t container_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow container_t container_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:passwd rootok;
allow container_t container_t:peer recv;
allow container_t container_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow container_t container_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow container_t container_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow container_t container_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow container_t container_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow container_t container_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow container_t container_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow container_t container_t:user_namespace create;
allow container_t container_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t proc_t:filesystem remount;
allow container_t proc_type:file { ioctl lock open read };
allow container_t sysfs_t:dir mounton;
allow container_t xserver_misc_device_t:chr_file getattr; [ container_use_xserver_devices ]:True
allow container_t xserver_misc_device_t:chr_file map; [ container_use_xserver_devices ]:True
allow container_t xserver_misc_device_t:chr_file { append getattr ioctl lock open read write }; [ container_use_xserver_devices ]:True
allow corenet_unconfined_type netif_type:netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:dccp_socket node_bind;
allow corenet_unconfined_type node_type:icmp_socket node_bind;
allow corenet_unconfined_type node_type:node { dccp_recv dccp_send enforce_dest rawip_recv rawip_send recvfrom sendto tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:rawip_socket node_bind;
allow corenet_unconfined_type node_type:sctp_socket node_bind;
allow corenet_unconfined_type node_type:tcp_socket node_bind;
allow corenet_unconfined_type node_type:udp_socket node_bind;
allow corenet_unconfined_type packet_type:packet { flow_in flow_out forward_in forward_out recv relabelto send };
allow corenet_unconfined_type port_type:dccp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:rawip_socket name_bind;
allow corenet_unconfined_type port_type:sctp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:udp_socket { name_bind recv_msg send_msg };
allow corenet_unconfined_type unlabeled_t:infiniband_endport manage_subnet;
allow corenet_unconfined_type unlabeled_t:infiniband_pkey access;
allow corenet_unlabeled_type unlabeled_t:association { recvfrom sendto };
allow corenet_unlabeled_type unlabeled_t:dccp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:peer recv;
allow corenet_unlabeled_type unlabeled_t:rawip_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:tcp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:udp_socket recvfrom;
allow domain abrt_dump_oops_t:process sigchld; [ deny_ptrace ]:False
allow domain abrt_helper_exec_t:file { execute getattr ioctl map open read };
allow domain abrt_helper_t:process transition;
allow domain abrt_t:dir { getattr ioctl lock open read search };
allow domain abrt_t:fifo_file { append getattr ioctl lock read write };
allow domain abrt_t:file { getattr ioctl lock open read };
allow domain abrt_t:lnk_file { getattr read };
allow domain abrt_t:process { getattr signull };
allow domain abrt_var_run_t:dir { getattr open search };
allow domain abrt_var_run_t:file { getattr ioctl lock open read };
allow domain admin_home_t:dir { getattr open search };
allow domain admin_home_t:lnk_file { getattr read };
allow domain afs_cache_t:file { read write };
allow domain afs_t:udp_socket { read write };
allow domain automount_t:fd use;
allow domain automount_t:fifo_file write;
allow domain base_file_type:dir { getattr open search };
allow domain base_ro_file_type:dir { ioctl lock read };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow domain cpu_online_t:dir { getattr open search };
allow domain cpu_online_t:file { getattr ioctl lock open read };
allow domain crond_t:fifo_file { append getattr ioctl lock read write };
allow domain crypt_device_t:chr_file { append getattr ioctl lock open read write };
allow domain device_t:dir { ioctl lock read };
allow domain device_t:lnk_file { getattr read };
allow domain devicekit_power_t:dbus send_msg;
allow domain devtty_t:chr_file { append getattr ioctl lock open read write };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain fonts_cache_t:dir { getattr ioctl lock open read search };
allow domain fonts_cache_t:file { getattr ioctl lock map open read };
allow domain fonts_cache_t:lnk_file { getattr read };
allow domain fonts_t:dir { getattr ioctl lock open read search };
allow domain fonts_t:file { getattr ioctl lock map open read };
allow domain fonts_t:lnk_file { getattr read };
allow domain ica_tmpfs_t:file { create getattr open };
allow domain init_t:process { sigchld signull };
allow domain initrc_tmp_t:file { open write };
allow domain install_t:fd use;
allow domain install_t:process sigchld; [ deny_ptrace ]:False
allow domain ipsec_spd_t:association polmatch;
allow domain kernel_t:system module_request; [ domain_kernel_load_modules ]:True
allow domain kmsg_device_t:chr_file { append getattr ioctl lock open write }; [ domain_can_write_kmsg ]:True
allow domain ld_so_cache_t:file { getattr ioctl lock map open read };
allow domain ld_so_t:file { execute getattr ioctl map open read };
allow domain ld_so_t:lnk_file { getattr read };
allow domain lib_t:file { execute map };
allow domain livecd_t:process sigchld; [ deny_ptrace ]:False
allow domain locale_t:dir { getattr ioctl lock open read search };
allow domain locale_t:file { getattr ioctl lock map open read };
allow domain locale_t:lnk_file { getattr read };
allow domain machineid_t:file { getattr ioctl lock open read };
allow domain man_cache_t:dir { getattr ioctl lock open read search };
allow domain man_cache_t:file { getattr ioctl lock open read };
allow domain man_cache_t:lnk_file { getattr read };
allow domain man_t:dir { getattr ioctl lock open read search };
allow domain man_t:file { getattr ioctl lock open read };
allow domain man_t:lnk_file { getattr read };
allow domain mandb_cache_t:dir { getattr open search };
allow domain mandb_cache_t:file { getattr ioctl lock open read };
allow domain mnt_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow domain mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow domain mnt_t:lnk_file { getattr read };
allow domain netlabel_peer_t:peer recv;
allow domain netlabel_peer_t:tcp_socket recvfrom;
allow domain null_device_t:chr_file { append getattr ioctl lock open read write };
allow domain pkcs11_modules_conf_t:dir { getattr ioctl lock open read search };
allow domain pkcs11_modules_conf_t:file { getattr ioctl lock map open read };
allow domain prelink_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ fips_mode ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:filesystem getattr;
allow domain proc_t:lnk_file { getattr read };
allow domain puppet_tmp_t:file write;
allow domain rkhunter_var_lib_t:dir { getattr open search };
allow domain rkhunter_var_lib_t:file { append getattr ioctl lock open };
allow domain root_t:dir { ioctl lock read };
allow domain root_t:lnk_file { getattr ioctl lock read };
allow domain rpm_log_t:dir { getattr open search };
allow domain rpm_script_tmp_t:dir { getattr open search };
allow domain rpm_script_tmp_t:fifo_file { append getattr ioctl lock read write };
allow domain rpm_script_tmp_t:file open;
allow domain rpm_script_tmp_t:lnk_file { getattr read };
allow domain rpm_t:fd use;
allow domain rpm_t:fifo_file { getattr ioctl lock open read };
allow domain security_t:dir { getattr open search };
allow domain security_t:filesystem getattr;
allow domain security_t:lnk_file { getattr read };
allow domain selinux_config_t:dir { getattr open search };
allow domain setrans_t:context translate;
allow domain setrans_t:unix_stream_socket connectto;
allow domain setrans_var_run_t:dir { getattr open search };
allow domain setrans_var_run_t:sock_file { append getattr open write };
allow domain sosreport_tmp_t:dir { getattr open search };
allow domain sosreport_tmp_t:file open;
allow domain spc_t:process sigchld;
allow domain spc_t:unix_stream_socket connectto;
allow domain sshd_t:fifo_file { append getattr ioctl lock read write };
allow domain sysadm_t:process sigchld; [ deny_ptrace ]:False
allow domain sysctl_crypto_t:dir { getattr ioctl lock open read search };
allow domain sysctl_crypto_t:file { getattr ioctl lock open read };
allow domain sysctl_kernel_t:dir { getattr ioctl lock open read search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:dir { getattr open search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:file { getattr ioctl lock open read }; [ fips_mode ]:True
allow domain sysctl_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:file { getattr ioctl lock open read };
allow domain sysctl_vm_t:dir { getattr open search };
allow domain sysfs_t:dir { getattr open search };
allow domain sysfs_t:filesystem getattr;
allow domain system_cronjob_t:fifo_file { append getattr ioctl lock read write };
allow domain systemd_nsresourced_runtime_t:sock_file { append getattr open write };
allow domain systemd_nsresourced_t:unix_stream_socket connectto;
allow domain systemd_resolved_t:dbus send_msg;
allow domain systemd_resolved_t:unix_stream_socket connectto;
allow domain systemd_resolved_var_run_t:dir { getattr open search };
allow domain systemd_resolved_var_run_t:sock_file { append getattr open write };
allow domain textrel_shlib_t:file { execmod execute map };
allow domain tmp_t:file { open write };
allow domain tmp_t:lnk_file { getattr read };
allow domain tmpfile:file { append getattr ioctl lock read };
allow domain tmpfs_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow domain unconfined_domain_type:association recvfrom;
allow domain unconfined_domain_type:peer recv;
allow domain unconfined_domain_type:tcp_socket recvfrom;
allow domain unconfined_t:fd use;
allow domain unconfined_t:process sigchld;
allow domain unlabeled_t:packet { recv send };
allow domain urandom_device_t:chr_file { getattr ioctl lock open read };
allow domain usermodehelper_t:dir { getattr ioctl lock open read search };
allow domain usermodehelper_t:file { getattr ioctl lock open read };
allow domain usermodehelper_t:lnk_file { getattr read };
allow domain usr_t:file map;
allow domain var_log_t:dir { getattr open search };
allow domain var_run_t:dir { ioctl lock read };
allow domain var_run_t:lnk_file { getattr read };
allow domain var_t:lnk_file { getattr read };
allow domain vmtools_unconfined_t:dbus send_msg;
allow domain zero_device_t:chr_file { append getattr ioctl lock map open read write };
allow kernel_system_state_reader proc_t:dir { ioctl lock read };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
allow sandbox_net_domain node_t:rawip_socket node_bind;
allow sandbox_net_domain node_t:tcp_socket node_bind;
allow sandbox_net_domain node_t:udp_socket node_bind;
allow sandbox_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow sandbox_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow sandbox_net_domain proc_net_t:dir { getattr ioctl lock open read search };
allow sandbox_net_domain proc_net_t:file { getattr ioctl lock open read };
allow sandbox_net_domain proc_net_t:lnk_file { getattr read };
allow sandbox_net_domain sssd_t:unix_stream_socket connectto;
allow sandbox_net_domain sssd_var_lib_t:dir { getattr open search };
allow sandbox_net_domain sssd_var_lib_t:sock_file { append getattr open write };
allow sandbox_net_domain svirt_home_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain svirt_home_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain systemd_logind_t:dbus send_msg;
allow sandbox_net_domain systemd_logind_t:fd use;
allow sandbox_net_domain virt_home_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow svirt_sandbox_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain container_devpts_t:chr_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain container_file_t:blk_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:chr_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:dir { add_name create execmod ioctl link lock read relabelfrom relabelto remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:file { append create execmod execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:filesystem remount;
allow svirt_sandbox_domain container_file_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_ro_file_t:dir { ioctl lock read };
allow svirt_sandbox_domain container_ro_file_t:file { execmod execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain container_ro_file_t:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain container_runtime_domain:file { getattr ioctl lock open read };
allow svirt_sandbox_domain container_runtime_domain:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:process getattr;
allow svirt_sandbox_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain exec_type:lnk_file { getattr read };
allow svirt_sandbox_domain file_type:dir { getattr open search };
allow svirt_sandbox_domain file_type:filesystem getattr;
allow svirt_sandbox_domain filesystem_type:filesystem getattr;
allow svirt_sandbox_domain fs_t:dir { getattr open search };
allow svirt_sandbox_domain fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain fs_t:lnk_file { getattr ioctl lock read write };
allow svirt_sandbox_domain fusefs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem mount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem unmount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain httpd_modules_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:lnk_file { getattr read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_sys_content_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain hugetlbfs_t:file { append getattr ioctl lock map open read write };
allow svirt_sandbox_domain hwdata_t:dir { ioctl lock read };
allow svirt_sandbox_domain hwdata_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain hwdata_t:lnk_file { getattr read };
allow svirt_sandbox_domain init_t:fd use;
allow svirt_sandbox_domain initrc_t:fd use;
allow svirt_sandbox_domain initrc_t:process sigchld;
allow svirt_sandbox_domain mountpoint:file entrypoint;
allow svirt_sandbox_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow svirt_sandbox_domain proc_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain proc_type:file getattr;
allow svirt_sandbox_domain spc_t:fd use;
allow svirt_sandbox_domain sshd_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain sshd_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sshd_t:fd use;
allow svirt_sandbox_domain sshd_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain sshd_t:lnk_file { getattr read };
allow svirt_sandbox_domain sshd_t:process { getattr sigchld };
allow svirt_sandbox_domain svirt_file_type:blk_file mounton;
allow svirt_sandbox_domain svirt_file_type:chr_file mounton;
allow svirt_sandbox_domain svirt_file_type:dir mounton;
allow svirt_sandbox_domain svirt_file_type:fifo_file mounton;
allow svirt_sandbox_domain svirt_file_type:file mounton;
allow svirt_sandbox_domain svirt_file_type:lnk_file mounton;
allow svirt_sandbox_domain svirt_file_type:sock_file mounton;
allow svirt_sandbox_domain sysadm_t:fd use;
allow svirt_sandbox_domain sysadm_t:process sigchld;
allow svirt_sandbox_domain sysctl_fs_t:file { append write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain sysctl_net_t:file { append write };
allow svirt_sandbox_domain sysctl_net_t:lnk_file { getattr read };
allow svirt_sandbox_domain sysctl_net_unix_t:file { append write };
allow svirt_sandbox_domain sysctl_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sysctl_type:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain systemd_machined_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:lnk_file { getattr read };
allow svirt_sandbox_domain systemd_machined_t:process getattr;
allow svirt_sandbox_domain tmpfs_t:file { append getattr ioctl lock read write };
allow svirt_sandbox_domain tmpfs_t:lnk_file { getattr read };
allow svirt_sandbox_domain udev_var_run_t:dir { ioctl lock read };
allow svirt_sandbox_domain udev_var_run_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain udev_var_run_t:lnk_file { getattr read };
allow svirt_sandbox_domain user_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain user_tty_device_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain var_lock_t:lnk_file { getattr read };
allow svirt_sandbox_domain virsh_t:fd use;
allow svirt_sandbox_domain virsh_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:fd use;
allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { append bind connect connectto getattr getopt ioctl lock read setattr setopt shutdown write };
allow syslog_client_type console_device_t:chr_file { append getattr ioctl lock open write };
allow syslog_client_type devlog_t:lnk_file { getattr read };
allow syslog_client_type devlog_t:sock_file { append getattr open write };
allow syslog_client_type kernel_t:unix_dgram_socket sendto;
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
allow syslog_client_type syslogd_var_run_t:dir { getattr open search };
allow syslog_client_type syslogd_var_run_t:sock_file { append getattr open write };
[-- Attachment #3: mycontainer.rules --]
[-- Type: text/plain, Size: 73199 bytes --]
$ sesearch -A -s mycontainer_t
allow container_domain bpf_t:dir { add_name ioctl lock read remove_name write };
allow container_domain bpf_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_domain cert_type:dir { ioctl lock read }; [ container_read_certs ]:True
allow container_domain cert_type:file { getattr ioctl lock open read }; [ container_read_certs ]:True
allow container_domain cert_type:lnk_file { getattr read }; [ container_read_certs ]:True
allow container_domain cgroup_t:dir { create link rename reparent rmdir setattr unlink watch watch_reads }; [ container_manage_cgroup ]:True
allow container_domain cgroup_t:dir { ioctl lock mounton read };
allow container_domain cgroup_t:filesystem unmount;
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { append create link rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { getattr ioctl lock open read };
allow container_domain cgroup_type:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:lnk_file { getattr read };
allow container_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow container_domain cifs_t:file execmod; [ virt_use_samba ]:True
allow container_domain cifs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_samba ]:True
allow container_domain cifs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow container_domain console_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain container_devpts_t:chr_file open;
allow container_domain container_file_t:file entrypoint;
allow container_domain container_ro_file_t:dir { ioctl lock read };
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_ro_file_t:lnk_file { getattr read };
allow container_domain container_runtime_domain:alg_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:appletalk_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmpvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmsvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ax25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:bluetooth_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:caif_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:can_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:dccp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:decnet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:fd use;
allow container_domain container_runtime_domain:icmp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ieee802154_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ipx_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:irda_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:isdn_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:iucv_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:kcm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:llc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:mctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_audit_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_connector_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_crypto_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_dnrt_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_firewall_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_generic_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_iscsi_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_netfilter_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_nflog_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_rdma_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_route_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_selinux_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_xfrm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netrom_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:nfc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:packet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:phonet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:pppox_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:process sigchld;
allow container_domain container_runtime_domain:qipcrtr_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rawip_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rds_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rose_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rxrpc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:sctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:smc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tcp_socket { accept append getattr getopt ioctl lock map read recv_msg send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tipc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tun_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom relabelfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:udp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_dgram_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_stream_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:vsock_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:x25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:xdp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_tmpfs_t:dir mounton;
allow container_domain container_runtime_tmpfs_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow container_domain container_var_lib_t:file entrypoint;
allow container_domain device_node:blk_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain device_node:chr_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain devpts_t:chr_file { append getattr ioctl lock read write };
allow container_domain dri_device_t:chr_file map; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file open; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ecryptfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file execmod; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain file_type:dir { getattr open search };
allow container_domain file_type:filesystem getattr;
allow container_domain filesystem_type:filesystem getattr;
allow container_domain fs_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { getattr open search }; [ container_use_cephfs ]:True
allow container_domain fs_t:file execmod; [ container_use_cephfs ]:True
allow container_domain fs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_cephfs ]:True
allow container_domain fs_t:filesystem { mount remount unmount };
allow container_domain fs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fuse_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain fusefs_t:dir { add_name create ioctl link lock mounton read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow container_domain fusefs_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:filesystem { mount remount unmount };
allow container_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain gssproxy_t:unix_stream_socket connectto;
allow container_domain gssproxy_var_lib_t:sock_file { append getattr open write };
allow container_domain gssproxy_var_run_t:sock_file { append getattr open write };
allow container_domain hugetlbfs_t:dir { add_name ioctl lock read remove_name write };
allow container_domain hugetlbfs_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };
allow container_domain init_t:alg_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:appletalk_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmpvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmsvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ax25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:bluetooth_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:caif_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:can_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:dccp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:decnet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:icmp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ieee802154_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ipx_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:irda_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:isdn_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:iucv_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:kcm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:llc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:mctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_audit_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_connector_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_crypto_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_dnrt_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_firewall_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_generic_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_iscsi_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_netfilter_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_nflog_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_rdma_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_route_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_selinux_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_xfrm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netrom_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:nfc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:packet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:phonet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:pppox_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:qipcrtr_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rawip_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rds_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rose_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rxrpc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:sctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:smc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tcp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tipc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tun_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:udp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_dgram_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_stream_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:vsock_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:x25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:xdp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain kernel_t:system ipc_info;
allow container_domain kvm_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain modules_object_t:dir { ioctl lock read };
allow container_domain modules_object_t:file { getattr ioctl lock open read };
allow container_domain modules_object_t:lnk_file { getattr read };
allow container_domain mtrr_device_t:chr_file { getattr ioctl lock open read };
allow container_domain mtrr_device_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:dir { ioctl lock read };
allow container_domain net_conf_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:lnk_file { getattr read };
allow container_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file execmod; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow container_domain nfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow container_domain nsfs_t:file { getattr ioctl lock open read };
allow container_domain nsfs_t:filesystem unmount;
allow container_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow container_domain proc_net_t:file { ioctl lock open read };
allow container_domain proc_net_t:lnk_file { getattr read };
allow container_domain proc_type:dir { getattr ioctl lock mounton open read search };
allow container_domain proc_type:file { getattr mounton };
allow container_domain ptynode:chr_file { append getattr ioctl lock read write };
allow container_domain random_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain rpm_var_cache_t:dir { ioctl lock read };
allow container_domain rpm_var_cache_t:file { getattr ioctl lock open read };
allow container_domain rpm_var_cache_t:lnk_file { getattr read };
allow container_domain rpm_var_lib_t:dir { ioctl lock read };
allow container_domain rpm_var_lib_t:file { getattr ioctl lock map open read };
allow container_domain rpm_var_lib_t:lnk_file { getattr read };
allow container_domain spc_t:unix_stream_socket { read write };
allow container_domain sssd_t:unix_stream_socket connectto;
allow container_domain sssd_var_lib_t:sock_file { append getattr open write };
allow container_domain sysctl_kernel_ns_last_pid_t:file { append write };
allow container_domain sysctl_net_t:file { append write };
allow container_domain sysctl_net_t:lnk_file { getattr read };
allow container_domain sysctl_net_unix_t:file { append write };
allow container_domain sysctl_rpc_t:file { append write };
allow container_domain sysctl_type:dir { getattr ioctl lock open read search };
allow container_domain sysctl_type:file { getattr ioctl lock open read };
allow container_domain sysfs_t:dir { ioctl lock read watch };
allow container_domain sysfs_t:file { getattr ioctl lock open read };
allow container_domain sysfs_t:lnk_file { getattr read };
allow container_domain systemd_logind_t:dbus send_msg;
allow container_domain systemd_logind_t:fd use;
allow container_domain tmpfs_t:file { append getattr ioctl lock read write };
allow container_domain tmpfs_t:filesystem { mount unmount };
allow container_domain tmpfs_t:lnk_file { getattr read };
allow container_domain tty_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ttynode:chr_file { append getattr ioctl lock read write };
allow container_domain unconfined_domain_type:fifo_file { append getattr ioctl lock map open read write };
allow container_domain urandom_device_t:chr_file { append write };
allow container_domain user_devpts_t:chr_file open;
allow container_domain userdomain:alg_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:appletalk_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmpvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmsvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ax25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:bluetooth_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:caif_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:can_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:dccp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:decnet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:fifo_file { append getattr ioctl lock read write };
allow container_domain userdomain:icmp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ieee802154_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ipx_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:irda_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:isdn_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:iucv_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:kcm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:llc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:mctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_audit_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_connector_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_crypto_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_dnrt_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_firewall_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_generic_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_iscsi_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_netfilter_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_nflog_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_rdma_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_route_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_selinux_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_xfrm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netrom_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:nfc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:packet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:phonet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:pppox_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:qipcrtr_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rawip_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rds_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rose_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rxrpc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:sctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:smc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tcp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tipc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tun_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:udp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_dgram_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_stream_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:vsock_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:x25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:xdp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain zero_device_t:chr_file execute;
allow container_net_domain node_t:rawip_socket node_bind;
allow container_net_domain node_t:tcp_socket node_bind;
allow container_net_domain node_t:udp_socket node_bind;
allow container_net_domain port_type:sctp_socket { name_bind name_connect };
allow container_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow container_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow container_t_domain container_file_t:blk_file { map relabelfrom relabelto };
allow container_t_domain container_file_t:chr_file { execute map relabelfrom relabelto watch watch_reads };
allow container_t_domain container_file_t:dir map;
allow container_t_domain container_file_t:fifo_file { map relabelfrom relabelto };
allow container_t_domain container_file_t:filesystem { mount unmount };
allow container_t_domain container_file_t:lnk_file { map relabelfrom relabelto };
allow container_t_domain container_file_t:sock_file { map relabelfrom relabelto };
allow container_t_domain proc_t:filesystem remount;
allow container_t_domain proc_type:file { ioctl lock open read };
allow container_t_domain sysfs_t:dir mounton;
allow container_t_domain xserver_misc_device_t:chr_file getattr; [ container_use_xserver_devices ]:True
allow container_t_domain xserver_misc_device_t:chr_file map; [ container_use_xserver_devices ]:True
allow container_t_domain xserver_misc_device_t:chr_file { append getattr ioctl lock open read write }; [ container_use_xserver_devices ]:True
allow corenet_unconfined_type netif_type:netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:dccp_socket node_bind;
allow corenet_unconfined_type node_type:icmp_socket node_bind;
allow corenet_unconfined_type node_type:node { dccp_recv dccp_send enforce_dest rawip_recv rawip_send recvfrom sendto tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:rawip_socket node_bind;
allow corenet_unconfined_type node_type:sctp_socket node_bind;
allow corenet_unconfined_type node_type:tcp_socket node_bind;
allow corenet_unconfined_type node_type:udp_socket node_bind;
allow corenet_unconfined_type packet_type:packet { flow_in flow_out forward_in forward_out recv relabelto send };
allow corenet_unconfined_type port_type:dccp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:rawip_socket name_bind;
allow corenet_unconfined_type port_type:sctp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:udp_socket { name_bind recv_msg send_msg };
allow corenet_unconfined_type unlabeled_t:infiniband_endport manage_subnet;
allow corenet_unconfined_type unlabeled_t:infiniband_pkey access;
allow corenet_unlabeled_type unlabeled_t:association { recvfrom sendto };
allow corenet_unlabeled_type unlabeled_t:dccp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:peer recv;
allow corenet_unlabeled_type unlabeled_t:rawip_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:tcp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:udp_socket recvfrom;
allow domain abrt_dump_oops_t:process sigchld; [ deny_ptrace ]:False
allow domain abrt_helper_exec_t:file { execute getattr ioctl map open read };
allow domain abrt_helper_t:process transition;
allow domain abrt_t:dir { getattr ioctl lock open read search };
allow domain abrt_t:fifo_file { append getattr ioctl lock read write };
allow domain abrt_t:file { getattr ioctl lock open read };
allow domain abrt_t:lnk_file { getattr read };
allow domain abrt_t:process { getattr signull };
allow domain abrt_var_run_t:dir { getattr open search };
allow domain abrt_var_run_t:file { getattr ioctl lock open read };
allow domain admin_home_t:dir { getattr open search };
allow domain admin_home_t:lnk_file { getattr read };
allow domain afs_cache_t:file { read write };
allow domain afs_t:udp_socket { read write };
allow domain automount_t:fd use;
allow domain automount_t:fifo_file write;
allow domain base_file_type:dir { getattr open search };
allow domain base_ro_file_type:dir { ioctl lock read };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow domain cpu_online_t:dir { getattr open search };
allow domain cpu_online_t:file { getattr ioctl lock open read };
allow domain crond_t:fifo_file { append getattr ioctl lock read write };
allow domain crypt_device_t:chr_file { append getattr ioctl lock open read write };
allow domain device_t:dir { ioctl lock read };
allow domain device_t:lnk_file { getattr read };
allow domain devicekit_power_t:dbus send_msg;
allow domain devtty_t:chr_file { append getattr ioctl lock open read write };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain fonts_cache_t:dir { getattr ioctl lock open read search };
allow domain fonts_cache_t:file { getattr ioctl lock map open read };
allow domain fonts_cache_t:lnk_file { getattr read };
allow domain fonts_t:dir { getattr ioctl lock open read search };
allow domain fonts_t:file { getattr ioctl lock map open read };
allow domain fonts_t:lnk_file { getattr read };
allow domain ica_tmpfs_t:file { create getattr open };
allow domain init_t:process { sigchld signull };
allow domain initrc_tmp_t:file { open write };
allow domain install_t:fd use;
allow domain install_t:process sigchld; [ deny_ptrace ]:False
allow domain ipsec_spd_t:association polmatch;
allow domain kernel_t:system module_request; [ domain_kernel_load_modules ]:True
allow domain kmsg_device_t:chr_file { append getattr ioctl lock open write }; [ domain_can_write_kmsg ]:True
allow domain ld_so_cache_t:file { getattr ioctl lock map open read };
allow domain ld_so_t:file { execute getattr ioctl map open read };
allow domain ld_so_t:lnk_file { getattr read };
allow domain lib_t:file { execute map };
allow domain livecd_t:process sigchld; [ deny_ptrace ]:False
allow domain locale_t:dir { getattr ioctl lock open read search };
allow domain locale_t:file { getattr ioctl lock map open read };
allow domain locale_t:lnk_file { getattr read };
allow domain machineid_t:file { getattr ioctl lock open read };
allow domain man_cache_t:dir { getattr ioctl lock open read search };
allow domain man_cache_t:file { getattr ioctl lock open read };
allow domain man_cache_t:lnk_file { getattr read };
allow domain man_t:dir { getattr ioctl lock open read search };
allow domain man_t:file { getattr ioctl lock open read };
allow domain man_t:lnk_file { getattr read };
allow domain mandb_cache_t:dir { getattr open search };
allow domain mandb_cache_t:file { getattr ioctl lock open read };
allow domain mnt_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow domain mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow domain mnt_t:lnk_file { getattr read };
allow domain netlabel_peer_t:peer recv;
allow domain netlabel_peer_t:tcp_socket recvfrom;
allow domain null_device_t:chr_file { append getattr ioctl lock open read write };
allow domain pkcs11_modules_conf_t:dir { getattr ioctl lock open read search };
allow domain pkcs11_modules_conf_t:file { getattr ioctl lock map open read };
allow domain prelink_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ fips_mode ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:filesystem getattr;
allow domain proc_t:lnk_file { getattr read };
allow domain puppet_tmp_t:file write;
allow domain rkhunter_var_lib_t:dir { getattr open search };
allow domain rkhunter_var_lib_t:file { append getattr ioctl lock open };
allow domain root_t:dir { ioctl lock read };
allow domain root_t:lnk_file { getattr ioctl lock read };
allow domain rpm_log_t:dir { getattr open search };
allow domain rpm_script_tmp_t:dir { getattr open search };
allow domain rpm_script_tmp_t:fifo_file { append getattr ioctl lock read write };
allow domain rpm_script_tmp_t:file open;
allow domain rpm_script_tmp_t:lnk_file { getattr read };
allow domain rpm_t:fd use;
allow domain rpm_t:fifo_file { getattr ioctl lock open read };
allow domain security_t:dir { getattr open search };
allow domain security_t:filesystem getattr;
allow domain security_t:lnk_file { getattr read };
allow domain selinux_config_t:dir { getattr open search };
allow domain setrans_t:context translate;
allow domain setrans_t:unix_stream_socket connectto;
allow domain setrans_var_run_t:dir { getattr open search };
allow domain setrans_var_run_t:sock_file { append getattr open write };
allow domain sosreport_tmp_t:dir { getattr open search };
allow domain sosreport_tmp_t:file open;
allow domain spc_t:process sigchld;
allow domain spc_t:unix_stream_socket connectto;
allow domain sshd_t:fifo_file { append getattr ioctl lock read write };
allow domain sysadm_t:process sigchld; [ deny_ptrace ]:False
allow domain sysctl_crypto_t:dir { getattr ioctl lock open read search };
allow domain sysctl_crypto_t:file { getattr ioctl lock open read };
allow domain sysctl_kernel_t:dir { getattr ioctl lock open read search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:dir { getattr open search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:file { getattr ioctl lock open read }; [ fips_mode ]:True
allow domain sysctl_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:file { getattr ioctl lock open read };
allow domain sysctl_vm_t:dir { getattr open search };
allow domain sysfs_t:dir { getattr open search };
allow domain sysfs_t:filesystem getattr;
allow domain system_cronjob_t:fifo_file { append getattr ioctl lock read write };
allow domain systemd_nsresourced_runtime_t:sock_file { append getattr open write };
allow domain systemd_nsresourced_t:unix_stream_socket connectto;
allow domain systemd_resolved_t:dbus send_msg;
allow domain systemd_resolved_t:unix_stream_socket connectto;
allow domain systemd_resolved_var_run_t:dir { getattr open search };
allow domain systemd_resolved_var_run_t:sock_file { append getattr open write };
allow domain textrel_shlib_t:file { execmod execute map };
allow domain tmp_t:file { open write };
allow domain tmp_t:lnk_file { getattr read };
allow domain tmpfile:file { append getattr ioctl lock read };
allow domain tmpfs_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow domain unconfined_domain_type:association recvfrom;
allow domain unconfined_domain_type:peer recv;
allow domain unconfined_domain_type:tcp_socket recvfrom;
allow domain unconfined_t:fd use;
allow domain unconfined_t:process sigchld;
allow domain unlabeled_t:packet { recv send };
allow domain urandom_device_t:chr_file { getattr ioctl lock open read };
allow domain usermodehelper_t:dir { getattr ioctl lock open read search };
allow domain usermodehelper_t:file { getattr ioctl lock open read };
allow domain usermodehelper_t:lnk_file { getattr read };
allow domain usr_t:file map;
allow domain var_log_t:dir { getattr open search };
allow domain var_run_t:dir { ioctl lock read };
allow domain var_run_t:lnk_file { getattr read };
allow domain var_t:lnk_file { getattr read };
allow domain vmtools_unconfined_t:dbus send_msg;
allow domain zero_device_t:chr_file { append getattr ioctl lock map open read write };
allow kernel_system_state_reader proc_t:dir { ioctl lock read };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
allow mycontainer_t mycontainer_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:association sendto;
allow mycontainer_t mycontainer_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow mycontainer_t mycontainer_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow mycontainer_t mycontainer_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow mycontainer_t mycontainer_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:dir { getattr ioctl lock open read search watch };
allow mycontainer_t mycontainer_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow mycontainer_t mycontainer_t:file { append getattr ioctl lock open read write };
allow mycontainer_t mycontainer_t:filesystem associate;
allow mycontainer_t mycontainer_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:key { create read setattr view write };
allow mycontainer_t mycontainer_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:lnk_file { getattr ioctl lock open read setattr };
allow mycontainer_t mycontainer_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:msg { receive send };
allow mycontainer_t mycontainer_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow mycontainer_t mycontainer_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow mycontainer_t mycontainer_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:passwd rootok;
allow mycontainer_t mycontainer_t:peer recv;
allow mycontainer_t mycontainer_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:process ptrace; [ deny_ptrace ]:False
allow mycontainer_t mycontainer_t:process ptrace; [ deny_ptrace ]:False
allow mycontainer_t mycontainer_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow mycontainer_t mycontainer_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:user_namespace create;
allow mycontainer_t mycontainer_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow sandbox_net_domain node_t:rawip_socket node_bind;
allow sandbox_net_domain node_t:tcp_socket node_bind;
allow sandbox_net_domain node_t:udp_socket node_bind;
allow sandbox_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow sandbox_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow sandbox_net_domain proc_net_t:dir { getattr ioctl lock open read search };
allow sandbox_net_domain proc_net_t:file { getattr ioctl lock open read };
allow sandbox_net_domain proc_net_t:lnk_file { getattr read };
allow sandbox_net_domain sssd_t:unix_stream_socket connectto;
allow sandbox_net_domain sssd_var_lib_t:dir { getattr open search };
allow sandbox_net_domain sssd_var_lib_t:sock_file { append getattr open write };
allow sandbox_net_domain svirt_home_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain svirt_home_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain systemd_logind_t:dbus send_msg;
allow sandbox_net_domain systemd_logind_t:fd use;
allow sandbox_net_domain virt_home_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow svirt_sandbox_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain container_devpts_t:chr_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain container_file_t:blk_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:chr_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:dir { add_name create execmod ioctl link lock read relabelfrom relabelto remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:file { append create execmod execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:filesystem remount;
allow svirt_sandbox_domain container_file_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_ro_file_t:dir { ioctl lock read };
allow svirt_sandbox_domain container_ro_file_t:file { execmod execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain container_ro_file_t:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain container_runtime_domain:file { getattr ioctl lock open read };
allow svirt_sandbox_domain container_runtime_domain:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:process getattr;
allow svirt_sandbox_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain exec_type:lnk_file { getattr read };
allow svirt_sandbox_domain file_type:dir { getattr open search };
allow svirt_sandbox_domain file_type:filesystem getattr;
allow svirt_sandbox_domain filesystem_type:filesystem getattr;
allow svirt_sandbox_domain fs_t:dir { getattr open search };
allow svirt_sandbox_domain fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain fs_t:lnk_file { getattr ioctl lock read write };
allow svirt_sandbox_domain fusefs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem mount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem unmount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain httpd_modules_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:lnk_file { getattr read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_sys_content_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain hugetlbfs_t:file { append getattr ioctl lock map open read write };
allow svirt_sandbox_domain hwdata_t:dir { ioctl lock read };
allow svirt_sandbox_domain hwdata_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain hwdata_t:lnk_file { getattr read };
allow svirt_sandbox_domain init_t:fd use;
allow svirt_sandbox_domain initrc_t:fd use;
allow svirt_sandbox_domain initrc_t:process sigchld;
allow svirt_sandbox_domain mountpoint:file entrypoint;
allow svirt_sandbox_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow svirt_sandbox_domain proc_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain proc_type:file getattr;
allow svirt_sandbox_domain spc_t:fd use;
allow svirt_sandbox_domain sshd_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain sshd_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sshd_t:fd use;
allow svirt_sandbox_domain sshd_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain sshd_t:lnk_file { getattr read };
allow svirt_sandbox_domain sshd_t:process { getattr sigchld };
allow svirt_sandbox_domain svirt_file_type:blk_file mounton;
allow svirt_sandbox_domain svirt_file_type:chr_file mounton;
allow svirt_sandbox_domain svirt_file_type:dir mounton;
allow svirt_sandbox_domain svirt_file_type:fifo_file mounton;
allow svirt_sandbox_domain svirt_file_type:file mounton;
allow svirt_sandbox_domain svirt_file_type:lnk_file mounton;
allow svirt_sandbox_domain svirt_file_type:sock_file mounton;
allow svirt_sandbox_domain sysadm_t:fd use;
allow svirt_sandbox_domain sysadm_t:process sigchld;
allow svirt_sandbox_domain sysctl_fs_t:file { append write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain sysctl_net_t:file { append write };
allow svirt_sandbox_domain sysctl_net_t:lnk_file { getattr read };
allow svirt_sandbox_domain sysctl_net_unix_t:file { append write };
allow svirt_sandbox_domain sysctl_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sysctl_type:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain systemd_machined_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:lnk_file { getattr read };
allow svirt_sandbox_domain systemd_machined_t:process getattr;
allow svirt_sandbox_domain tmpfs_t:file { append getattr ioctl lock read write };
allow svirt_sandbox_domain tmpfs_t:lnk_file { getattr read };
allow svirt_sandbox_domain udev_var_run_t:dir { ioctl lock read };
allow svirt_sandbox_domain udev_var_run_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain udev_var_run_t:lnk_file { getattr read };
allow svirt_sandbox_domain user_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain user_tty_device_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain var_lock_t:lnk_file { getattr read };
allow svirt_sandbox_domain virsh_t:fd use;
allow svirt_sandbox_domain virsh_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:fd use;
allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { append bind connect connectto getattr getopt ioctl lock read setattr setopt shutdown write };
allow syslog_client_type console_device_t:chr_file { append getattr ioctl lock open write };
allow syslog_client_type devlog_t:lnk_file { getattr read };
allow syslog_client_type devlog_t:sock_file { append getattr open write };
allow syslog_client_type kernel_t:unix_dgram_socket sendto;
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
allow syslog_client_type syslogd_var_run_t:dir { getattr open search };
allow syslog_client_type syslogd_var_run_t:sock_file { append getattr open write };
[-- Attachment #4: mycontainer_t.rules --]
[-- Type: text/plain, Size: 75644 bytes --]
$ sesearch -A -t mycontainer_t
allow NetworkManager_dispatcher_dnssec_t domain:dir { getattr ioctl lock open read search };
allow NetworkManager_dispatcher_dnssec_t domain:file { getattr ioctl lock open read };
allow NetworkManager_dispatcher_dnssec_t domain:lnk_file { getattr read };
allow NetworkManager_t domain:dir { getattr ioctl lock open read search };
allow NetworkManager_t domain:file { getattr ioctl lock open read };
allow NetworkManager_t domain:lnk_file { getattr read };
allow abrt_dump_oops_t domain:dir { getattr ioctl lock open read search };
allow abrt_dump_oops_t domain:file { getattr ioctl lock open read };
allow abrt_dump_oops_t domain:lnk_file { getattr read };
allow abrt_dump_oops_t domain:process ptrace; [ deny_ptrace ]:False
allow abrt_dump_oops_t domain:process { getattr signull };
allow abrt_helper_t domain:dir { getattr ioctl lock open read search };
allow abrt_helper_t domain:fd use;
allow abrt_helper_t domain:fifo_file { append getattr ioctl lock read write };
allow abrt_helper_t domain:file { getattr ioctl lock open read };
allow abrt_helper_t domain:lnk_file { getattr read };
allow abrt_helper_t domain:process sigchld;
allow abrt_t domain:dir { getattr ioctl lock open read search };
allow abrt_t domain:file { getattr ioctl lock open read write };
allow abrt_t domain:lnk_file { getattr read };
allow abrt_t domain:process { getattr setrlimit signull };
allow antivirus_domain domain:dir { getattr ioctl lock open read search };
allow antivirus_domain domain:file { getattr ioctl lock open read };
allow antivirus_domain domain:lnk_file { getattr read };
allow apcupsd_t domain:process signull;
allow apmd_t domain:dir { getattr ioctl lock open read search };
allow apmd_t domain:file { getattr ioctl lock open read };
allow apmd_t domain:lnk_file { getattr read };
allow auditadm_t domain:process sigkill;
allow auditctl_t domain:dir { getattr ioctl lock open read search };
allow auditctl_t domain:file { getattr ioctl lock open read };
allow auditctl_t domain:lnk_file { getattr read };
allow auditd_t domain:dir { getattr ioctl lock open read search };
allow auditd_t domain:file { getattr ioctl lock open read };
allow auditd_t domain:lnk_file { getattr read };
allow bluetooth_helper_t domain:dir { getattr ioctl lock open read search };
allow bluetooth_helper_t domain:file { getattr ioctl lock open read };
allow bluetooth_helper_t domain:lnk_file { getattr read };
allow boinc_domain domain:dir { getattr ioctl lock open read search };
allow boinc_domain domain:file { getattr ioctl lock open read };
allow boinc_domain domain:lnk_file { getattr read };
allow boltd_t domain:dir { getattr ioctl lock open read search };
allow boltd_t domain:file { getattr ioctl lock open read };
allow boltd_t domain:lnk_file { getattr read };
allow cardmgr_t pcmcia_typeattr_1:dir { getattr ioctl lock open read search };
allow cardmgr_t pcmcia_typeattr_1:file { getattr ioctl lock open read };
allow cardmgr_t pcmcia_typeattr_1:lnk_file { getattr read };
allow cardmgr_t pcmcia_typeattr_1:process getattr;
allow cfengine_execd_t domain:dir { getattr ioctl lock open read search };
allow cfengine_execd_t domain:file { getattr ioctl lock open read };
allow cfengine_execd_t domain:lnk_file { getattr read };
allow cfengine_monitord_t domain:dir { getattr ioctl lock open read search };
allow cfengine_monitord_t domain:file { getattr ioctl lock open read };
allow cfengine_monitord_t domain:lnk_file { getattr read };
allow cgclear_t domain:process setsched;
allow cgred_t domain:dir { getattr ioctl lock open read search };
allow cgred_t domain:file { getattr ioctl lock open read };
allow cgred_t domain:lnk_file { getattr read };
allow cgred_t domain:process setsched;
allow collectd_t domain:dir { getattr ioctl lock open read search };
allow collectd_t domain:file { getattr ioctl lock open read };
allow collectd_t domain:lnk_file { getattr read };
allow condor_master_t domain:dir { getattr ioctl lock open read search };
allow condor_master_t domain:file { getattr ioctl lock open read };
allow condor_master_t domain:lnk_file { getattr read };
allow condor_procd_t domain:dir { getattr ioctl lock open read search };
allow condor_procd_t domain:file { getattr ioctl lock open read };
allow condor_procd_t domain:lnk_file { getattr read };
allow consolekit_t domain:dir { getattr ioctl lock open read search };
allow consolekit_t domain:file { getattr ioctl lock open read };
allow consolekit_t domain:lnk_file { getattr read };
allow container_runtime_domain container_domain:file relabelfrom;
allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
allow cpuspeed_t domain:dir { getattr ioctl lock open read search };
allow cpuspeed_t domain:file { getattr ioctl lock open read };
allow cpuspeed_t domain:lnk_file { getattr read };
allow cupsd_t domain:dir { getattr ioctl lock open read search };
allow cupsd_t domain:file { getattr ioctl lock open read };
allow cupsd_t domain:lnk_file { getattr read };
allow devicekit_power_t domain:dbus send_msg;
allow dnssec_trigger_t domain:dir { getattr ioctl lock open read search };
allow dnssec_trigger_t domain:file { getattr ioctl lock open read };
allow dnssec_trigger_t domain:lnk_file { getattr read };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow fsdaemon_t domain:process signull;
allow glusterd_t domain:alg_socket getattr;
allow glusterd_t domain:appletalk_socket getattr;
allow glusterd_t domain:atmpvc_socket getattr;
allow glusterd_t domain:atmsvc_socket getattr;
allow glusterd_t domain:ax25_socket getattr;
allow glusterd_t domain:bluetooth_socket getattr;
allow glusterd_t domain:caif_socket getattr;
allow glusterd_t domain:can_socket getattr;
allow glusterd_t domain:dccp_socket getattr;
allow glusterd_t domain:decnet_socket getattr;
allow glusterd_t domain:dir { getattr ioctl lock open read search };
allow glusterd_t domain:file { getattr ioctl lock open read };
allow glusterd_t domain:icmp_socket getattr;
allow glusterd_t domain:ieee802154_socket getattr;
allow glusterd_t domain:ipx_socket getattr;
allow glusterd_t domain:irda_socket getattr;
allow glusterd_t domain:isdn_socket getattr;
allow glusterd_t domain:iucv_socket getattr;
allow glusterd_t domain:kcm_socket getattr;
allow glusterd_t domain:llc_socket getattr;
allow glusterd_t domain:lnk_file { getattr read };
allow glusterd_t domain:mctp_socket getattr;
allow glusterd_t domain:netlink_audit_socket getattr;
allow glusterd_t domain:netlink_connector_socket getattr;
allow glusterd_t domain:netlink_crypto_socket getattr;
allow glusterd_t domain:netlink_dnrt_socket getattr;
allow glusterd_t domain:netlink_fib_lookup_socket getattr;
allow glusterd_t domain:netlink_firewall_socket getattr;
allow glusterd_t domain:netlink_generic_socket getattr;
allow glusterd_t domain:netlink_ip6fw_socket getattr;
allow glusterd_t domain:netlink_iscsi_socket getattr;
allow glusterd_t domain:netlink_kobject_uevent_socket getattr;
allow glusterd_t domain:netlink_netfilter_socket getattr;
allow glusterd_t domain:netlink_nflog_socket getattr;
allow glusterd_t domain:netlink_rdma_socket getattr;
allow glusterd_t domain:netlink_route_socket getattr;
allow glusterd_t domain:netlink_scsitransport_socket getattr;
allow glusterd_t domain:netlink_selinux_socket getattr;
allow glusterd_t domain:netlink_socket getattr;
allow glusterd_t domain:netlink_tcpdiag_socket getattr;
allow glusterd_t domain:netlink_xfrm_socket getattr;
allow glusterd_t domain:netrom_socket getattr;
allow glusterd_t domain:nfc_socket getattr;
allow glusterd_t domain:packet_socket getattr;
allow glusterd_t domain:phonet_socket getattr;
allow glusterd_t domain:pppox_socket getattr;
allow glusterd_t domain:qipcrtr_socket getattr;
allow glusterd_t domain:rawip_socket getattr;
allow glusterd_t domain:rds_socket getattr;
allow glusterd_t domain:rose_socket getattr;
allow glusterd_t domain:rxrpc_socket getattr;
allow glusterd_t domain:sctp_socket getattr;
allow glusterd_t domain:smc_socket getattr;
allow glusterd_t domain:tcp_socket getattr;
allow glusterd_t domain:tipc_socket getattr;
allow glusterd_t domain:tun_socket getattr;
allow glusterd_t domain:udp_socket getattr;
allow glusterd_t domain:unix_dgram_socket getattr;
allow glusterd_t domain:unix_stream_socket getattr;
allow glusterd_t domain:vsock_socket getattr;
allow glusterd_t domain:x25_socket getattr;
allow glusterd_t domain:xdp_socket getattr;
allow gnomesystemmm_t domain:dir { getattr open search };
allow gnomesystemmm_t domain:process { setsched sigkill signal sigstop };
allow gssd_t domain:key { create read setattr view write };
allow gssproxy_t domain:dir { getattr ioctl lock open read search };
allow gssproxy_t domain:file { getattr ioctl lock open read };
allow gssproxy_t domain:lnk_file { getattr read };
allow httpd_t domain:process getpgid; [ httpd_run_stickshift ]:True
allow hypervkvp_t domain:dir { getattr ioctl lock open read search };
allow hypervkvp_t domain:file { getattr ioctl lock open read };
allow hypervkvp_t domain:lnk_file { getattr read };
allow ifconfig_t domain:dir { getattr ioctl lock open read search };
allow ifconfig_t domain:file { getattr ioctl lock open read };
allow ifconfig_t domain:lnk_file { getattr read };
allow init_t domain:dir { getattr ioctl lock open read search };
allow init_t domain:file { getattr ioctl lock open read };
allow init_t domain:lnk_file { getattr read };
allow init_t domain:process { getattr getpgid noatsecure rlimitinh setrlimit setsched sigchld sigkill signal signull sigstop };
allow init_t svirt_sandbox_domain:process transition;
allow init_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow initrc_t svirt_sandbox_domain:process transition;
allow insights_core_t domain:alg_socket getattr;
allow insights_core_t domain:appletalk_socket getattr;
allow insights_core_t domain:atmpvc_socket getattr;
allow insights_core_t domain:atmsvc_socket getattr;
allow insights_core_t domain:ax25_socket getattr;
allow insights_core_t domain:bluetooth_socket getattr;
allow insights_core_t domain:caif_socket getattr;
allow insights_core_t domain:can_socket getattr;
allow insights_core_t domain:dccp_socket getattr;
allow insights_core_t domain:decnet_socket getattr;
allow insights_core_t domain:dir { getattr ioctl lock open read search };
allow insights_core_t domain:fifo_file getattr;
allow insights_core_t domain:file { getattr ioctl lock open read };
allow insights_core_t domain:icmp_socket getattr;
allow insights_core_t domain:ieee802154_socket getattr;
allow insights_core_t domain:ipx_socket getattr;
allow insights_core_t domain:irda_socket getattr;
allow insights_core_t domain:isdn_socket getattr;
allow insights_core_t domain:iucv_socket getattr;
allow insights_core_t domain:kcm_socket getattr;
allow insights_core_t domain:key { read view };
allow insights_core_t domain:llc_socket getattr;
allow insights_core_t domain:lnk_file { getattr read };
allow insights_core_t domain:mctp_socket getattr;
allow insights_core_t domain:netlink_audit_socket getattr;
allow insights_core_t domain:netlink_connector_socket getattr;
allow insights_core_t domain:netlink_crypto_socket getattr;
allow insights_core_t domain:netlink_dnrt_socket getattr;
allow insights_core_t domain:netlink_fib_lookup_socket getattr;
allow insights_core_t domain:netlink_firewall_socket getattr;
allow insights_core_t domain:netlink_generic_socket getattr;
allow insights_core_t domain:netlink_ip6fw_socket getattr;
allow insights_core_t domain:netlink_iscsi_socket getattr;
allow insights_core_t domain:netlink_kobject_uevent_socket getattr;
allow insights_core_t domain:netlink_netfilter_socket getattr;
allow insights_core_t domain:netlink_nflog_socket getattr;
allow insights_core_t domain:netlink_rdma_socket getattr;
allow insights_core_t domain:netlink_route_socket getattr;
allow insights_core_t domain:netlink_scsitransport_socket getattr;
allow insights_core_t domain:netlink_selinux_socket getattr;
allow insights_core_t domain:netlink_socket getattr;
allow insights_core_t domain:netlink_tcpdiag_socket getattr;
allow insights_core_t domain:netlink_xfrm_socket getattr;
allow insights_core_t domain:netrom_socket getattr;
allow insights_core_t domain:nfc_socket getattr;
allow insights_core_t domain:packet_socket getattr;
allow insights_core_t domain:phonet_socket getattr;
allow insights_core_t domain:pppox_socket getattr;
allow insights_core_t domain:process getattr;
allow insights_core_t domain:qipcrtr_socket getattr;
allow insights_core_t domain:rawip_socket getattr;
allow insights_core_t domain:rds_socket getattr;
allow insights_core_t domain:rose_socket getattr;
allow insights_core_t domain:rxrpc_socket getattr;
allow insights_core_t domain:sctp_socket getattr;
allow insights_core_t domain:smc_socket getattr;
allow insights_core_t domain:tcp_socket getattr;
allow insights_core_t domain:tipc_socket getattr;
allow insights_core_t domain:tun_socket getattr;
allow insights_core_t domain:udp_socket getattr;
allow insights_core_t domain:unix_dgram_socket getattr;
allow insights_core_t domain:unix_stream_socket { connectto getattr };
allow insights_core_t domain:vsock_socket getattr;
allow insights_core_t domain:x25_socket getattr;
allow insights_core_t domain:xdp_socket getattr;
allow iotop_t domain:dir { getattr ioctl lock open read search };
allow iotop_t domain:file { getattr ioctl lock open read };
allow iotop_t domain:lnk_file { getattr read };
allow iotop_t domain:process getsched;
allow iscsid_t domain:dir { getattr ioctl lock open read search };
allow iscsid_t domain:file { getattr ioctl lock open read };
allow iscsid_t domain:lnk_file { getattr read };
allow keepalived_t domain:dir { getattr ioctl lock open read search };
allow keepalived_t domain:file { getattr ioctl lock open read };
allow keepalived_t domain:lnk_file { getattr read };
allow keepalived_t domain:process getattr;
allow kernel_t domain:alg_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:appletalk_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:atmpvc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:atmsvc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ax25_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:bluetooth_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:caif_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:can_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:dccp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:decnet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:dir { getattr open search };
allow kernel_t domain:fd use;
allow kernel_t domain:icmp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ieee802154_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ipx_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:irda_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:isdn_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:iucv_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:kcm_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:llc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:mctp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_audit_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_connector_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_crypto_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_dnrt_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_fib_lookup_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_firewall_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_generic_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_ip6fw_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_iscsi_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_kobject_uevent_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_netfilter_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_nflog_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_rdma_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_route_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_scsitransport_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_selinux_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_tcpdiag_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_xfrm_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netrom_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:nfc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:packet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:phonet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:pppox_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:process signal;
allow kernel_t domain:qipcrtr_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rawip_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rds_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rose_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rxrpc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:sctp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:smc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tcp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tipc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tun_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:udp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:unix_dgram_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:unix_stream_socket { accept append bind connect connectto getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:vsock_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:x25_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:xdp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow keyutils_request_t domain:key { create read setattr view write };
allow ksmtuned_t domain:dir { getattr ioctl lock open read search };
allow ksmtuned_t domain:file { getattr ioctl lock open read };
allow ksmtuned_t domain:lnk_file { getattr read };
allow ktlshd_t domain:key { read view };
allow login_pgm domain:dir { getattr ioctl lock open read search };
allow login_pgm domain:file { getattr ioctl lock open read };
allow login_pgm domain:lnk_file { getattr read };
allow login_pgm domain:process sigkill;
allow logrotate_t domain:dir { getattr ioctl lock open read search };
allow logrotate_t domain:file { getattr ioctl lock open read };
allow logrotate_t domain:lnk_file { getattr read };
allow logrotate_t domain:process signal;
allow logwatch_t domain:dir { getattr ioctl lock open read search };
allow logwatch_t domain:file { getattr ioctl lock open read };
allow logwatch_t domain:lnk_file { getattr read };
allow mdadm_t domain:dir { getattr ioctl lock open read search };
allow mdadm_t domain:file { getattr ioctl lock open read };
allow mdadm_t domain:lnk_file { getattr read };
allow mock_t domain:dir { getattr ioctl lock open read search };
allow mock_t domain:file { getattr ioctl lock open read };
allow mock_t domain:lnk_file { getattr read };
allow mon_statd_domain domain:dir { getattr ioctl lock open read search };
allow mon_statd_domain domain:file { getattr ioctl lock open read };
allow mon_statd_domain domain:lnk_file { getattr read };
allow munin_t domain:dir { getattr ioctl lock open read search };
allow munin_t domain:file { getattr ioctl lock open read };
allow munin_t domain:lnk_file { getattr read };
allow mycontainer_t mycontainer_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:association sendto;
allow mycontainer_t mycontainer_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow mycontainer_t mycontainer_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow mycontainer_t mycontainer_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow mycontainer_t mycontainer_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:dir { getattr ioctl lock open read search watch };
allow mycontainer_t mycontainer_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow mycontainer_t mycontainer_t:file { append getattr ioctl lock open read write };
allow mycontainer_t mycontainer_t:filesystem associate;
allow mycontainer_t mycontainer_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:key { create read setattr view write };
allow mycontainer_t mycontainer_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:lnk_file { getattr ioctl lock open read setattr };
allow mycontainer_t mycontainer_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:msg { receive send };
allow mycontainer_t mycontainer_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow mycontainer_t mycontainer_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow mycontainer_t mycontainer_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:passwd rootok;
allow mycontainer_t mycontainer_t:peer recv;
allow mycontainer_t mycontainer_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:process ptrace; [ deny_ptrace ]:False
allow mycontainer_t mycontainer_t:process ptrace; [ deny_ptrace ]:False
allow mycontainer_t mycontainer_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow mycontainer_t mycontainer_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:user_namespace create;
allow mycontainer_t mycontainer_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mysqld_safe_t domain:dir { getattr ioctl lock open read search };
allow mysqld_safe_t domain:file { getattr ioctl lock open read };
allow mysqld_safe_t domain:lnk_file { getattr read };
allow mysqld_t domain:dir { getattr ioctl lock open read search };
allow mysqld_t domain:file { getattr ioctl lock open read };
allow mysqld_t domain:lnk_file { getattr read };
allow nagios_openshift_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_openshift_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_openshift_plugin_t domain:lnk_file { getattr read };
allow nagios_services_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_services_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_services_plugin_t domain:lnk_file { getattr read };
allow nagios_system_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_system_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_system_plugin_t domain:lnk_file { getattr read };
allow nagios_t domain:dir { getattr ioctl lock open read search };
allow nagios_t domain:file { getattr ioctl lock open read };
allow nagios_t domain:lnk_file { getattr read };
allow ncftool_t domain:dir { getattr ioctl lock open read search };
allow ncftool_t domain:file { getattr ioctl lock open read };
allow ncftool_t domain:lnk_file { getattr read };
allow neutron_t domain:dir { getattr ioctl lock open read search };
allow neutron_t domain:file { getattr ioctl lock open read };
allow neutron_t domain:lnk_file { getattr read };
allow nrpe_t domain:dir { getattr ioctl lock open read search };
allow nrpe_t domain:file { getattr ioctl lock open read };
allow nrpe_t domain:lnk_file { getattr read };
allow nscd_t domain:dir { getattr open search };
allow numad_t domain:dir { getattr ioctl lock open read search };
allow numad_t domain:file { getattr ioctl lock open read };
allow numad_t domain:lnk_file { getattr read };
allow numad_t domain:process { setsched signull };
allow passenger_t domain:dir { getattr ioctl lock open read search };
allow passenger_t domain:file { getattr ioctl lock open read };
allow passenger_t domain:lnk_file { getattr read };
allow pcp_pmcd_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmcd_t domain:file { getattr ioctl lock open read };
allow pcp_pmcd_t domain:lnk_file { getattr read };
allow pcp_pmcd_t domain:process getattr;
allow pcp_pmie_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmie_t domain:file { getattr ioctl lock open read };
allow pcp_pmie_t domain:lnk_file { getattr read };
allow pcp_pmlogger_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmlogger_t domain:file { getattr ioctl lock open read };
allow pcp_pmlogger_t domain:lnk_file { getattr read };
allow pcscd_t domain:dir { getattr ioctl lock open read search };
allow pcscd_t domain:file { getattr ioctl lock open read };
allow pcscd_t domain:lnk_file { getattr read };
allow pegasus_t domain:dir { getattr ioctl lock open read search };
allow pegasus_t domain:file { getattr ioctl lock open read };
allow pegasus_t domain:lnk_file { getattr read };
allow policykit_t domain:dir { getattr ioctl lock open read search };
allow policykit_t domain:file { getattr ioctl lock open read };
allow policykit_t domain:lnk_file { getattr read };
allow psad_t domain:dir { getattr ioctl lock open read search };
allow psad_t domain:file { getattr ioctl lock open read };
allow psad_t domain:lnk_file { getattr read };
allow puppetmaster_t domain:dir { getattr ioctl lock open read search };
allow puppetmaster_t domain:file { getattr ioctl lock open read };
allow puppetmaster_t domain:lnk_file { getattr read };
allow rabbitmq_t domain:dir { getattr ioctl lock open read search };
allow rabbitmq_t domain:file { getattr ioctl lock open read };
allow rabbitmq_t domain:lnk_file { getattr read };
allow racoon_t domain:association setcontext;
allow readahead_t domain:dir { getattr ioctl lock open read search };
allow readahead_t domain:file { getattr ioctl lock open read };
allow readahead_t domain:lnk_file { getattr read };
allow rhcd_t domain:alg_socket getattr;
allow rhcd_t domain:appletalk_socket getattr;
allow rhcd_t domain:atmpvc_socket getattr;
allow rhcd_t domain:atmsvc_socket getattr;
allow rhcd_t domain:ax25_socket getattr;
allow rhcd_t domain:bluetooth_socket getattr;
allow rhcd_t domain:caif_socket getattr;
allow rhcd_t domain:can_socket getattr;
allow rhcd_t domain:dccp_socket getattr;
allow rhcd_t domain:decnet_socket getattr;
allow rhcd_t domain:dir { getattr ioctl lock open read search };
allow rhcd_t domain:fifo_file getattr;
allow rhcd_t domain:file { getattr ioctl lock open read };
allow rhcd_t domain:icmp_socket getattr;
allow rhcd_t domain:ieee802154_socket getattr;
allow rhcd_t domain:ipx_socket getattr;
allow rhcd_t domain:irda_socket getattr;
allow rhcd_t domain:isdn_socket getattr;
allow rhcd_t domain:iucv_socket getattr;
allow rhcd_t domain:kcm_socket getattr;
allow rhcd_t domain:llc_socket getattr;
allow rhcd_t domain:lnk_file { getattr read };
allow rhcd_t domain:mctp_socket getattr;
allow rhcd_t domain:netlink_audit_socket getattr;
allow rhcd_t domain:netlink_connector_socket getattr;
allow rhcd_t domain:netlink_crypto_socket getattr;
allow rhcd_t domain:netlink_dnrt_socket getattr;
allow rhcd_t domain:netlink_fib_lookup_socket getattr;
allow rhcd_t domain:netlink_firewall_socket getattr;
allow rhcd_t domain:netlink_generic_socket getattr;
allow rhcd_t domain:netlink_ip6fw_socket getattr;
allow rhcd_t domain:netlink_iscsi_socket getattr;
allow rhcd_t domain:netlink_kobject_uevent_socket getattr;
allow rhcd_t domain:netlink_netfilter_socket getattr;
allow rhcd_t domain:netlink_nflog_socket getattr;
allow rhcd_t domain:netlink_rdma_socket getattr;
allow rhcd_t domain:netlink_route_socket getattr;
allow rhcd_t domain:netlink_scsitransport_socket getattr;
allow rhcd_t domain:netlink_selinux_socket getattr;
allow rhcd_t domain:netlink_socket getattr;
allow rhcd_t domain:netlink_tcpdiag_socket getattr;
allow rhcd_t domain:netlink_xfrm_socket getattr;
allow rhcd_t domain:netrom_socket getattr;
allow rhcd_t domain:nfc_socket getattr;
allow rhcd_t domain:packet_socket getattr;
allow rhcd_t domain:phonet_socket getattr;
allow rhcd_t domain:pppox_socket getattr;
allow rhcd_t domain:qipcrtr_socket getattr;
allow rhcd_t domain:rawip_socket getattr;
allow rhcd_t domain:rds_socket getattr;
allow rhcd_t domain:rose_socket getattr;
allow rhcd_t domain:rxrpc_socket getattr;
allow rhcd_t domain:sctp_socket getattr;
allow rhcd_t domain:smc_socket getattr;
allow rhcd_t domain:tcp_socket getattr;
allow rhcd_t domain:tipc_socket getattr;
allow rhcd_t domain:tun_socket getattr;
allow rhcd_t domain:udp_socket getattr;
allow rhcd_t domain:unix_dgram_socket getattr;
allow rhcd_t domain:unix_stream_socket getattr;
allow rhcd_t domain:vsock_socket getattr;
allow rhcd_t domain:x25_socket getattr;
allow rhcd_t domain:xdp_socket getattr;
allow rhsmcertd_t domain:dir { getattr ioctl lock open read search };
allow rhsmcertd_t domain:file { getattr ioctl lock open read };
allow rhsmcertd_t domain:lnk_file { getattr read };
allow rhsmcertd_t domain:process signull;
allow ricci_modcluster_t domain:dir { getattr ioctl lock open read search };
allow ricci_modcluster_t domain:file { getattr ioctl lock open read };
allow ricci_modcluster_t domain:lnk_file { getattr read };
allow ricci_modclusterd_t domain:dir { getattr ioctl lock open read search };
allow ricci_modclusterd_t domain:file { getattr ioctl lock open read };
allow ricci_modclusterd_t domain:lnk_file { getattr read };
allow ricci_modlog_t domain:dir { getattr ioctl lock open read search };
allow ricci_modlog_t domain:file { getattr ioctl lock open read };
allow ricci_modlog_t domain:lnk_file { getattr read };
allow ricci_modstorage_t domain:dir { getattr ioctl lock open read search };
allow ricci_modstorage_t domain:file { getattr ioctl lock open read };
allow ricci_modstorage_t domain:lnk_file { getattr read };
allow ricci_t domain:dir { getattr ioctl lock open read search };
allow ricci_t domain:file { getattr ioctl lock open read };
allow ricci_t domain:lnk_file { getattr read };
allow rtkit_daemon_t domain:dir { getattr ioctl lock open read search };
allow rtkit_daemon_t domain:file { getattr ioctl lock open read };
allow rtkit_daemon_t domain:lnk_file { getattr read };
allow rtkit_daemon_t domain:process getsched;
allow sbd_t domain:dir { getattr ioctl lock open read search };
allow sbd_t domain:file { getattr ioctl lock open read };
allow sbd_t domain:lnk_file { getattr read };
allow sblim_gatherd_t domain:dir { getattr ioctl lock open read search };
allow sblim_gatherd_t domain:file { getattr ioctl lock open read };
allow sblim_gatherd_t domain:lnk_file { getattr read };
allow sblim_sfcbd_t domain:dir { getattr ioctl lock open read search };
allow sblim_sfcbd_t domain:file { getattr ioctl lock open read };
allow sblim_sfcbd_t domain:lnk_file { getattr read };
allow screen_domain domain:dir { getattr ioctl lock open read search };
allow screen_domain domain:file { getattr ioctl lock open read };
allow screen_domain domain:lnk_file { getattr read };
allow sectoolm_t domain:dir { getattr ioctl lock open read search };
allow sectoolm_t domain:file { getattr ioctl lock open read };
allow sectoolm_t domain:lnk_file { getattr read };
allow sectoolm_t domain:process getattr;
allow session_bus_type domain:dir { getattr ioctl lock open read search };
allow session_bus_type domain:file { getattr ioctl lock open read };
allow session_bus_type domain:lnk_file { getattr read };
allow setfiles_domain domain:blk_file { getattr relabelfrom };
allow setfiles_domain domain:chr_file { getattr relabelfrom };
allow setfiles_domain domain:dir { getattr ioctl lock open read relabelfrom search };
allow setfiles_domain domain:fifo_file { getattr relabelfrom };
allow setfiles_domain domain:file { getattr ioctl lock open read relabelfrom };
allow setfiles_domain domain:lnk_file { getattr read relabelfrom };
allow setfiles_domain domain:sock_file { getattr relabelfrom };
allow setkey_t domain:association setcontext;
allow setrans_t domain:dir { getattr ioctl lock open read search };
allow setrans_t domain:file { getattr ioctl lock open read };
allow setrans_t domain:lnk_file { getattr read };
allow setrans_t domain:process { getattr getsession };
allow setroubleshootd_t domain:dir { getattr ioctl lock open read search };
allow setroubleshootd_t domain:file { getattr ioctl lock open read };
allow setroubleshootd_t domain:lnk_file { getattr read };
allow setroubleshootd_t domain:process signull;
allow shorewall_t domain:dir { getattr ioctl lock open read search };
allow shorewall_t domain:file { getattr ioctl lock open read };
allow shorewall_t domain:lnk_file { getattr read };
allow snapperd_t domain:dir { getattr ioctl lock open read search };
allow snapperd_t domain:file { getattr ioctl lock open read };
allow snapperd_t domain:lnk_file { getattr read };
allow snmpd_t domain:dir { getattr ioctl lock open read search };
allow snmpd_t domain:file { getattr ioctl lock open read };
allow snmpd_t domain:lnk_file { getattr read };
allow snmpd_t domain:process signull;
allow spamd_update_t domain:dir { getattr ioctl lock open read search };
allow spamd_update_t domain:file { getattr ioctl lock open read };
allow spamd_update_t domain:lnk_file { getattr read };
allow spc_t domain:process { ptrace transition };
allow sshd_t svirt_sandbox_domain:process { getattr sigchld signal signull sigstop transition };
allow sshd_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow sshd_t svirt_sandbox_domain:unix_stream_socket connectto;
allow sssd_t domain:dir { getattr ioctl lock open read search };
allow sssd_t domain:file { getattr ioctl lock open read };
allow sssd_t domain:lnk_file { getattr read };
allow staff_t container_domain:process { sigchld sigkill signal signull sigstop };
allow staff_t domain:dir { getattr ioctl lock open read search };
allow staff_t domain:file { getattr ioctl lock open read };
allow staff_t domain:lnk_file { getattr read };
allow staff_t domain:process { getattr getcap getsched };
allow stalld_t domain:dir { getattr ioctl lock open read search };
allow stalld_t domain:file { getattr ioctl lock open read };
allow stalld_t domain:lnk_file { getattr read };
allow stalld_t domain:process { getsched setsched };
allow stapserver_t domain:dir { getattr ioctl lock open read search };
allow stapserver_t domain:file { getattr ioctl lock open read };
allow stapserver_t domain:lnk_file { getattr read };
allow sysadm_t domain:alg_socket getattr;
allow sysadm_t domain:appletalk_socket getattr;
allow sysadm_t domain:atmpvc_socket getattr;
allow sysadm_t domain:atmsvc_socket getattr;
allow sysadm_t domain:ax25_socket getattr;
allow sysadm_t domain:bluetooth_socket getattr;
allow sysadm_t domain:caif_socket getattr;
allow sysadm_t domain:can_socket getattr;
allow sysadm_t domain:dccp_socket getattr;
allow sysadm_t domain:decnet_socket getattr;
allow sysadm_t domain:dir { getattr ioctl lock open read search };
allow sysadm_t domain:file { getattr ioctl lock open read };
allow sysadm_t domain:icmp_socket getattr;
allow sysadm_t domain:ieee802154_socket getattr;
allow sysadm_t domain:ipx_socket getattr;
allow sysadm_t domain:irda_socket getattr;
allow sysadm_t domain:isdn_socket getattr;
allow sysadm_t domain:iucv_socket getattr;
allow sysadm_t domain:kcm_socket getattr;
allow sysadm_t domain:key { read view };
allow sysadm_t domain:llc_socket getattr;
allow sysadm_t domain:lnk_file { getattr read };
allow sysadm_t domain:mctp_socket getattr;
allow sysadm_t domain:netlink_audit_socket getattr;
allow sysadm_t domain:netlink_connector_socket getattr;
allow sysadm_t domain:netlink_crypto_socket getattr;
allow sysadm_t domain:netlink_dnrt_socket getattr;
allow sysadm_t domain:netlink_fib_lookup_socket getattr;
allow sysadm_t domain:netlink_firewall_socket getattr;
allow sysadm_t domain:netlink_generic_socket getattr;
allow sysadm_t domain:netlink_ip6fw_socket getattr;
allow sysadm_t domain:netlink_iscsi_socket getattr;
allow sysadm_t domain:netlink_kobject_uevent_socket getattr;
allow sysadm_t domain:netlink_netfilter_socket getattr;
allow sysadm_t domain:netlink_nflog_socket getattr;
allow sysadm_t domain:netlink_rdma_socket getattr;
allow sysadm_t domain:netlink_route_socket getattr;
allow sysadm_t domain:netlink_scsitransport_socket getattr;
allow sysadm_t domain:netlink_selinux_socket getattr;
allow sysadm_t domain:netlink_socket getattr;
allow sysadm_t domain:netlink_tcpdiag_socket getattr;
allow sysadm_t domain:netlink_xfrm_socket getattr;
allow sysadm_t domain:netrom_socket getattr;
allow sysadm_t domain:nfc_socket getattr;
allow sysadm_t domain:packet_socket getattr;
allow sysadm_t domain:phonet_socket getattr;
allow sysadm_t domain:pppox_socket getattr;
allow sysadm_t domain:process ptrace; [ deny_ptrace ]:False
allow sysadm_t domain:process { getattr getcap setsched sigchld sigkill signal signull sigstop };
allow sysadm_t domain:qipcrtr_socket getattr;
allow sysadm_t domain:rawip_socket getattr;
allow sysadm_t domain:rds_socket getattr;
allow sysadm_t domain:rose_socket getattr;
allow sysadm_t domain:rxrpc_socket getattr;
allow sysadm_t domain:sctp_socket getattr;
allow sysadm_t domain:smc_socket getattr;
allow sysadm_t domain:tcp_socket getattr;
allow sysadm_t domain:tipc_socket getattr;
allow sysadm_t domain:tun_socket getattr;
allow sysadm_t domain:udp_socket getattr;
allow sysadm_t domain:unix_dgram_socket getattr;
allow sysadm_t domain:unix_stream_socket getattr;
allow sysadm_t domain:vsock_socket getattr;
allow sysadm_t domain:x25_socket getattr;
allow sysadm_t domain:xdp_socket getattr;
allow sysadm_t svirt_sandbox_domain:process transition;
allow sysadm_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow syslogd_t domain:dir { getattr ioctl lock open read search };
allow syslogd_t domain:file { getattr ioctl lock open read };
allow syslogd_t domain:lnk_file { getattr read };
allow syslogd_t domain:process { getattr signull };
allow system_dbusd_t domain:dir { getattr ioctl lock open read search };
allow system_dbusd_t domain:file { getattr ioctl lock open read };
allow system_dbusd_t domain:lnk_file { getattr read };
allow system_munin_plugin_t domain:dir { getattr ioctl lock open read search };
allow system_munin_plugin_t domain:file { getattr ioctl lock open read };
allow system_munin_plugin_t domain:lnk_file { getattr read };
allow systemd_bootchart_t domain:dir { getattr ioctl lock open read search };
allow systemd_bootchart_t domain:file { getattr ioctl lock open read };
allow systemd_bootchart_t domain:lnk_file { getattr read };
allow systemd_coredump_t domain:dir { getattr ioctl lock open read search };
allow systemd_coredump_t domain:file { getattr ioctl lock open read };
allow systemd_coredump_t domain:lnk_file { getattr read };
allow systemd_homework_t domain:key { create read setattr view write };
allow systemd_logind_t container_domain:dbus send_msg;
allow systemd_logind_t container_domain:process getattr;
allow systemd_logind_t domain:dir { getattr ioctl lock open read search };
allow systemd_logind_t domain:file { getattr ioctl lock open read };
allow systemd_logind_t domain:lnk_file { getattr read };
allow systemd_logind_t domain:process { sigkill signal signull };
allow systemd_logind_t domain:sem destroy;
allow systemd_logind_t sandbox_net_domain:dbus send_msg;
allow systemd_logind_t sandbox_net_domain:process getattr;
allow systemd_machined_t domain:process { signal signull };
allow systemd_machined_t svirt_sandbox_domain:dir { getattr ioctl lock open read search };
allow systemd_machined_t svirt_sandbox_domain:file { getattr ioctl lock open read };
allow systemd_machined_t svirt_sandbox_domain:lnk_file { getattr read };
allow systemd_machined_t svirt_sandbox_domain:process getattr;
allow systemd_machined_t svirt_sandbox_domain:unix_stream_socket connectto;
allow systemd_passwd_agent_t domain:dir { getattr ioctl lock open read search };
allow systemd_passwd_agent_t domain:file { getattr ioctl lock open read };
allow systemd_passwd_agent_t domain:lnk_file { getattr read };
allow systemd_resolved_t domain:dbus send_msg;
allow systemd_resolved_t domain:dir { getattr ioctl lock open read search };
allow systemd_resolved_t domain:file { getattr ioctl lock open read };
allow systemd_resolved_t domain:lnk_file { getattr read };
allow systemd_resolved_t domain:process getattr;
allow tmpreaper_t domain:alg_socket getattr;
allow tmpreaper_t domain:appletalk_socket getattr;
allow tmpreaper_t domain:atmpvc_socket getattr;
allow tmpreaper_t domain:atmsvc_socket getattr;
allow tmpreaper_t domain:ax25_socket getattr;
allow tmpreaper_t domain:bluetooth_socket getattr;
allow tmpreaper_t domain:caif_socket getattr;
allow tmpreaper_t domain:can_socket getattr;
allow tmpreaper_t domain:dccp_socket getattr;
allow tmpreaper_t domain:decnet_socket getattr;
allow tmpreaper_t domain:dir { getattr ioctl lock open read search };
allow tmpreaper_t domain:fifo_file getattr;
allow tmpreaper_t domain:file { getattr ioctl lock open read };
allow tmpreaper_t domain:icmp_socket getattr;
allow tmpreaper_t domain:ieee802154_socket getattr;
allow tmpreaper_t domain:ipx_socket getattr;
allow tmpreaper_t domain:irda_socket getattr;
allow tmpreaper_t domain:isdn_socket getattr;
allow tmpreaper_t domain:iucv_socket getattr;
allow tmpreaper_t domain:kcm_socket getattr;
allow tmpreaper_t domain:llc_socket getattr;
allow tmpreaper_t domain:lnk_file { getattr read };
allow tmpreaper_t domain:mctp_socket getattr;
allow tmpreaper_t domain:netlink_audit_socket getattr;
allow tmpreaper_t domain:netlink_connector_socket getattr;
allow tmpreaper_t domain:netlink_crypto_socket getattr;
allow tmpreaper_t domain:netlink_dnrt_socket getattr;
allow tmpreaper_t domain:netlink_fib_lookup_socket getattr;
allow tmpreaper_t domain:netlink_firewall_socket getattr;
allow tmpreaper_t domain:netlink_generic_socket getattr;
allow tmpreaper_t domain:netlink_ip6fw_socket getattr;
allow tmpreaper_t domain:netlink_iscsi_socket getattr;
allow tmpreaper_t domain:netlink_kobject_uevent_socket getattr;
allow tmpreaper_t domain:netlink_netfilter_socket getattr;
allow tmpreaper_t domain:netlink_nflog_socket getattr;
allow tmpreaper_t domain:netlink_rdma_socket getattr;
allow tmpreaper_t domain:netlink_route_socket getattr;
allow tmpreaper_t domain:netlink_scsitransport_socket getattr;
allow tmpreaper_t domain:netlink_selinux_socket getattr;
allow tmpreaper_t domain:netlink_socket getattr;
allow tmpreaper_t domain:netlink_tcpdiag_socket getattr;
allow tmpreaper_t domain:netlink_xfrm_socket getattr;
allow tmpreaper_t domain:netrom_socket getattr;
allow tmpreaper_t domain:nfc_socket getattr;
allow tmpreaper_t domain:packet_socket getattr;
allow tmpreaper_t domain:phonet_socket getattr;
allow tmpreaper_t domain:pppox_socket getattr;
allow tmpreaper_t domain:qipcrtr_socket getattr;
allow tmpreaper_t domain:rawip_socket getattr;
allow tmpreaper_t domain:rds_socket getattr;
allow tmpreaper_t domain:rose_socket getattr;
allow tmpreaper_t domain:rxrpc_socket getattr;
allow tmpreaper_t domain:sctp_socket getattr;
allow tmpreaper_t domain:smc_socket getattr;
allow tmpreaper_t domain:tcp_socket getattr;
allow tmpreaper_t domain:tipc_socket getattr;
allow tmpreaper_t domain:tun_socket getattr;
allow tmpreaper_t domain:udp_socket getattr;
allow tmpreaper_t domain:unix_dgram_socket getattr;
allow tmpreaper_t domain:unix_stream_socket getattr;
allow tmpreaper_t domain:vsock_socket getattr;
allow tmpreaper_t domain:x25_socket getattr;
allow tmpreaper_t domain:xdp_socket getattr;
allow unconfined_domain_type container_domain:process { dyntransition transition };
allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition };
allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:appletalk_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:association recvfrom;
allow unconfined_domain_type domain:atmpvc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:atmsvc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:ax25_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:bluetooth_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
allow unconfined_domain_type domain:caif_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:can_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:dccp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind name_connect node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:decnet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:dir { getattr ioctl lock open read search watch };
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file { append getattr ioctl lock open read write };
allow unconfined_domain_type domain:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow unconfined_domain_type domain:icmp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:ieee802154_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:io_uring { cmd override_creds };
allow unconfined_domain_type domain:ipx_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:irda_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:isdn_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:iucv_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:kcm_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:key { create read setattr view write };
allow unconfined_domain_type domain:key_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:llc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:lnk_file { getattr ioctl lock read };
allow unconfined_domain_type domain:mctp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:msg { receive send };
allow unconfined_domain_type domain:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow unconfined_domain_type domain:netlink_audit_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_connector_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_generic_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_route_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netrom_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:nfc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:packet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:peer recv;
allow unconfined_domain_type domain:perf_event { read write };
allow unconfined_domain_type domain:phonet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:pppox_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop };
allow unconfined_domain_type domain:qipcrtr_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rds_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rose_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rxrpc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:sctp_socket { accept append association bind connect create getattr getopt ioctl listen lock map name_bind name_connect node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow unconfined_domain_type domain:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow unconfined_domain_type domain:smc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
allow unconfined_domain_type domain:tcp_socket { accept acceptfrom append bind connect connectto create getattr getopt ioctl listen lock map name_bind name_connect newconn node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:tipc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:udp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:unix_dgram_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:unix_stream_socket { accept acceptfrom append bind connect connectto create getattr getopt ioctl listen lock map name_bind newconn read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:vsock_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:x25_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:xdp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_t domain:process dyntransition; [ unconfined_dyntrans_all ]:True
allow unconfined_t domain:process transition;
allow useradd_t domain:dir { getattr ioctl lock open read search };
allow useradd_t domain:file { getattr ioctl lock open read };
allow useradd_t domain:lnk_file { getattr read };
allow userdomain container_domain:process transition;
allow virsh_t svirt_sandbox_domain:dir { getattr ioctl lock open read search };
allow virsh_t svirt_sandbox_domain:file { getattr ioctl lock open read };
allow virsh_t svirt_sandbox_domain:lnk_file { getattr read };
allow virsh_t svirt_sandbox_domain:process { getattr sigchld sigkill signal signull sigstop transition };
allow virsh_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow virtd_lxc_t svirt_sandbox_domain:process transition;
allow virtd_t svirt_sandbox_domain:process transition;
allow vmtools_unconfined_t domain:dbus send_msg;
allow watchdog_t domain:process { getsession sigchld sigkill signal signull sigstop };
allow zabbix_agent_t domain:dir { getattr ioctl lock open read search };
allow zabbix_agent_t domain:file { getattr ioctl lock open read };
allow zabbix_agent_t domain:lnk_file { getattr read };
allow zoneminder_t domain:dir { getattr ioctl lock open read search };
allow zoneminder_t domain:file { getattr ioctl lock open read };
allow zoneminder_t domain:lnk_file { getattr read };
[-- Attachment #5: container_t.rules --]
[-- Type: text/plain, Size: 75298 bytes --]
$ sesearch -A -t container_t
allow NetworkManager_dispatcher_dnssec_t domain:dir { getattr ioctl lock open read search };
allow NetworkManager_dispatcher_dnssec_t domain:file { getattr ioctl lock open read };
allow NetworkManager_dispatcher_dnssec_t domain:lnk_file { getattr read };
allow NetworkManager_t domain:dir { getattr ioctl lock open read search };
allow NetworkManager_t domain:file { getattr ioctl lock open read };
allow NetworkManager_t domain:lnk_file { getattr read };
allow abrt_dump_oops_t domain:dir { getattr ioctl lock open read search };
allow abrt_dump_oops_t domain:file { getattr ioctl lock open read };
allow abrt_dump_oops_t domain:lnk_file { getattr read };
allow abrt_dump_oops_t domain:process ptrace; [ deny_ptrace ]:False
allow abrt_dump_oops_t domain:process { getattr signull };
allow abrt_helper_t domain:dir { getattr ioctl lock open read search };
allow abrt_helper_t domain:fd use;
allow abrt_helper_t domain:fifo_file { append getattr ioctl lock read write };
allow abrt_helper_t domain:file { getattr ioctl lock open read };
allow abrt_helper_t domain:lnk_file { getattr read };
allow abrt_helper_t domain:process sigchld;
allow abrt_t domain:dir { getattr ioctl lock open read search };
allow abrt_t domain:file { getattr ioctl lock open read write };
allow abrt_t domain:lnk_file { getattr read };
allow abrt_t domain:process { getattr setrlimit signull };
allow antivirus_domain domain:dir { getattr ioctl lock open read search };
allow antivirus_domain domain:file { getattr ioctl lock open read };
allow antivirus_domain domain:lnk_file { getattr read };
allow apcupsd_t domain:process signull;
allow apmd_t domain:dir { getattr ioctl lock open read search };
allow apmd_t domain:file { getattr ioctl lock open read };
allow apmd_t domain:lnk_file { getattr read };
allow auditadm_t domain:process sigkill;
allow auditctl_t domain:dir { getattr ioctl lock open read search };
allow auditctl_t domain:file { getattr ioctl lock open read };
allow auditctl_t domain:lnk_file { getattr read };
allow auditd_t domain:dir { getattr ioctl lock open read search };
allow auditd_t domain:file { getattr ioctl lock open read };
allow auditd_t domain:lnk_file { getattr read };
allow bluetooth_helper_t domain:dir { getattr ioctl lock open read search };
allow bluetooth_helper_t domain:file { getattr ioctl lock open read };
allow bluetooth_helper_t domain:lnk_file { getattr read };
allow boinc_domain domain:dir { getattr ioctl lock open read search };
allow boinc_domain domain:file { getattr ioctl lock open read };
allow boinc_domain domain:lnk_file { getattr read };
allow boltd_t domain:dir { getattr ioctl lock open read search };
allow boltd_t domain:file { getattr ioctl lock open read };
allow boltd_t domain:lnk_file { getattr read };
allow cardmgr_t pcmcia_typeattr_1:dir { getattr ioctl lock open read search };
allow cardmgr_t pcmcia_typeattr_1:file { getattr ioctl lock open read };
allow cardmgr_t pcmcia_typeattr_1:lnk_file { getattr read };
allow cardmgr_t pcmcia_typeattr_1:process getattr;
allow cfengine_execd_t domain:dir { getattr ioctl lock open read search };
allow cfengine_execd_t domain:file { getattr ioctl lock open read };
allow cfengine_execd_t domain:lnk_file { getattr read };
allow cfengine_monitord_t domain:dir { getattr ioctl lock open read search };
allow cfengine_monitord_t domain:file { getattr ioctl lock open read };
allow cfengine_monitord_t domain:lnk_file { getattr read };
allow cgclear_t domain:process setsched;
allow cgred_t domain:dir { getattr ioctl lock open read search };
allow cgred_t domain:file { getattr ioctl lock open read };
allow cgred_t domain:lnk_file { getattr read };
allow cgred_t domain:process setsched;
allow collectd_t domain:dir { getattr ioctl lock open read search };
allow collectd_t domain:file { getattr ioctl lock open read };
allow collectd_t domain:lnk_file { getattr read };
allow condor_master_t domain:dir { getattr ioctl lock open read search };
allow condor_master_t domain:file { getattr ioctl lock open read };
allow condor_master_t domain:lnk_file { getattr read };
allow condor_procd_t domain:dir { getattr ioctl lock open read search };
allow condor_procd_t domain:file { getattr ioctl lock open read };
allow condor_procd_t domain:lnk_file { getattr read };
allow consolekit_t domain:dir { getattr ioctl lock open read search };
allow consolekit_t domain:file { getattr ioctl lock open read };
allow consolekit_t domain:lnk_file { getattr read };
allow container_runtime_domain container_domain:file relabelfrom;
allow container_t container_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:association sendto;
allow container_t container_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow container_t container_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow container_t container_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow container_t container_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:dir { getattr ioctl lock open read search watch };
allow container_t container_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_t container_t:file { append getattr ioctl lock open read write };
allow container_t container_t:filesystem associate;
allow container_t container_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:key { create read setattr view write };
allow container_t container_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:lnk_file { getattr ioctl lock open read setattr };
allow container_t container_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:msg { receive send };
allow container_t container_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow container_t container_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow container_t container_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow container_t container_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:passwd rootok;
allow container_t container_t:peer recv;
allow container_t container_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow container_t container_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow container_t container_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow container_t container_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow container_t container_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow container_t container_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow container_t container_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow container_t container_t:user_namespace create;
allow container_t container_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
allow cpuspeed_t domain:dir { getattr ioctl lock open read search };
allow cpuspeed_t domain:file { getattr ioctl lock open read };
allow cpuspeed_t domain:lnk_file { getattr read };
allow cupsd_t domain:dir { getattr ioctl lock open read search };
allow cupsd_t domain:file { getattr ioctl lock open read };
allow cupsd_t domain:lnk_file { getattr read };
allow devicekit_power_t domain:dbus send_msg;
allow dnssec_trigger_t domain:dir { getattr ioctl lock open read search };
allow dnssec_trigger_t domain:file { getattr ioctl lock open read };
allow dnssec_trigger_t domain:lnk_file { getattr read };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow fsdaemon_t domain:process signull;
allow glusterd_t domain:alg_socket getattr;
allow glusterd_t domain:appletalk_socket getattr;
allow glusterd_t domain:atmpvc_socket getattr;
allow glusterd_t domain:atmsvc_socket getattr;
allow glusterd_t domain:ax25_socket getattr;
allow glusterd_t domain:bluetooth_socket getattr;
allow glusterd_t domain:caif_socket getattr;
allow glusterd_t domain:can_socket getattr;
allow glusterd_t domain:dccp_socket getattr;
allow glusterd_t domain:decnet_socket getattr;
allow glusterd_t domain:dir { getattr ioctl lock open read search };
allow glusterd_t domain:file { getattr ioctl lock open read };
allow glusterd_t domain:icmp_socket getattr;
allow glusterd_t domain:ieee802154_socket getattr;
allow glusterd_t domain:ipx_socket getattr;
allow glusterd_t domain:irda_socket getattr;
allow glusterd_t domain:isdn_socket getattr;
allow glusterd_t domain:iucv_socket getattr;
allow glusterd_t domain:kcm_socket getattr;
allow glusterd_t domain:llc_socket getattr;
allow glusterd_t domain:lnk_file { getattr read };
allow glusterd_t domain:mctp_socket getattr;
allow glusterd_t domain:netlink_audit_socket getattr;
allow glusterd_t domain:netlink_connector_socket getattr;
allow glusterd_t domain:netlink_crypto_socket getattr;
allow glusterd_t domain:netlink_dnrt_socket getattr;
allow glusterd_t domain:netlink_fib_lookup_socket getattr;
allow glusterd_t domain:netlink_firewall_socket getattr;
allow glusterd_t domain:netlink_generic_socket getattr;
allow glusterd_t domain:netlink_ip6fw_socket getattr;
allow glusterd_t domain:netlink_iscsi_socket getattr;
allow glusterd_t domain:netlink_kobject_uevent_socket getattr;
allow glusterd_t domain:netlink_netfilter_socket getattr;
allow glusterd_t domain:netlink_nflog_socket getattr;
allow glusterd_t domain:netlink_rdma_socket getattr;
allow glusterd_t domain:netlink_route_socket getattr;
allow glusterd_t domain:netlink_scsitransport_socket getattr;
allow glusterd_t domain:netlink_selinux_socket getattr;
allow glusterd_t domain:netlink_socket getattr;
allow glusterd_t domain:netlink_tcpdiag_socket getattr;
allow glusterd_t domain:netlink_xfrm_socket getattr;
allow glusterd_t domain:netrom_socket getattr;
allow glusterd_t domain:nfc_socket getattr;
allow glusterd_t domain:packet_socket getattr;
allow glusterd_t domain:phonet_socket getattr;
allow glusterd_t domain:pppox_socket getattr;
allow glusterd_t domain:qipcrtr_socket getattr;
allow glusterd_t domain:rawip_socket getattr;
allow glusterd_t domain:rds_socket getattr;
allow glusterd_t domain:rose_socket getattr;
allow glusterd_t domain:rxrpc_socket getattr;
allow glusterd_t domain:sctp_socket getattr;
allow glusterd_t domain:smc_socket getattr;
allow glusterd_t domain:tcp_socket getattr;
allow glusterd_t domain:tipc_socket getattr;
allow glusterd_t domain:tun_socket getattr;
allow glusterd_t domain:udp_socket getattr;
allow glusterd_t domain:unix_dgram_socket getattr;
allow glusterd_t domain:unix_stream_socket getattr;
allow glusterd_t domain:vsock_socket getattr;
allow glusterd_t domain:x25_socket getattr;
allow glusterd_t domain:xdp_socket getattr;
allow gnomesystemmm_t domain:dir { getattr open search };
allow gnomesystemmm_t domain:process { setsched sigkill signal sigstop };
allow gssd_t domain:key { create read setattr view write };
allow gssproxy_t domain:dir { getattr ioctl lock open read search };
allow gssproxy_t domain:file { getattr ioctl lock open read };
allow gssproxy_t domain:lnk_file { getattr read };
allow httpd_t domain:process getpgid; [ httpd_run_stickshift ]:True
allow hypervkvp_t domain:dir { getattr ioctl lock open read search };
allow hypervkvp_t domain:file { getattr ioctl lock open read };
allow hypervkvp_t domain:lnk_file { getattr read };
allow ifconfig_t domain:dir { getattr ioctl lock open read search };
allow ifconfig_t domain:file { getattr ioctl lock open read };
allow ifconfig_t domain:lnk_file { getattr read };
allow init_t domain:dir { getattr ioctl lock open read search };
allow init_t domain:file { getattr ioctl lock open read };
allow init_t domain:lnk_file { getattr read };
allow init_t domain:process { getattr getpgid noatsecure rlimitinh setrlimit setsched sigchld sigkill signal signull sigstop };
allow init_t svirt_sandbox_domain:process transition;
allow init_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow initrc_t svirt_sandbox_domain:process transition;
allow insights_core_t domain:alg_socket getattr;
allow insights_core_t domain:appletalk_socket getattr;
allow insights_core_t domain:atmpvc_socket getattr;
allow insights_core_t domain:atmsvc_socket getattr;
allow insights_core_t domain:ax25_socket getattr;
allow insights_core_t domain:bluetooth_socket getattr;
allow insights_core_t domain:caif_socket getattr;
allow insights_core_t domain:can_socket getattr;
allow insights_core_t domain:dccp_socket getattr;
allow insights_core_t domain:decnet_socket getattr;
allow insights_core_t domain:dir { getattr ioctl lock open read search };
allow insights_core_t domain:fifo_file getattr;
allow insights_core_t domain:file { getattr ioctl lock open read };
allow insights_core_t domain:icmp_socket getattr;
allow insights_core_t domain:ieee802154_socket getattr;
allow insights_core_t domain:ipx_socket getattr;
allow insights_core_t domain:irda_socket getattr;
allow insights_core_t domain:isdn_socket getattr;
allow insights_core_t domain:iucv_socket getattr;
allow insights_core_t domain:kcm_socket getattr;
allow insights_core_t domain:key { read view };
allow insights_core_t domain:llc_socket getattr;
allow insights_core_t domain:lnk_file { getattr read };
allow insights_core_t domain:mctp_socket getattr;
allow insights_core_t domain:netlink_audit_socket getattr;
allow insights_core_t domain:netlink_connector_socket getattr;
allow insights_core_t domain:netlink_crypto_socket getattr;
allow insights_core_t domain:netlink_dnrt_socket getattr;
allow insights_core_t domain:netlink_fib_lookup_socket getattr;
allow insights_core_t domain:netlink_firewall_socket getattr;
allow insights_core_t domain:netlink_generic_socket getattr;
allow insights_core_t domain:netlink_ip6fw_socket getattr;
allow insights_core_t domain:netlink_iscsi_socket getattr;
allow insights_core_t domain:netlink_kobject_uevent_socket getattr;
allow insights_core_t domain:netlink_netfilter_socket getattr;
allow insights_core_t domain:netlink_nflog_socket getattr;
allow insights_core_t domain:netlink_rdma_socket getattr;
allow insights_core_t domain:netlink_route_socket getattr;
allow insights_core_t domain:netlink_scsitransport_socket getattr;
allow insights_core_t domain:netlink_selinux_socket getattr;
allow insights_core_t domain:netlink_socket getattr;
allow insights_core_t domain:netlink_tcpdiag_socket getattr;
allow insights_core_t domain:netlink_xfrm_socket getattr;
allow insights_core_t domain:netrom_socket getattr;
allow insights_core_t domain:nfc_socket getattr;
allow insights_core_t domain:packet_socket getattr;
allow insights_core_t domain:phonet_socket getattr;
allow insights_core_t domain:pppox_socket getattr;
allow insights_core_t domain:process getattr;
allow insights_core_t domain:qipcrtr_socket getattr;
allow insights_core_t domain:rawip_socket getattr;
allow insights_core_t domain:rds_socket getattr;
allow insights_core_t domain:rose_socket getattr;
allow insights_core_t domain:rxrpc_socket getattr;
allow insights_core_t domain:sctp_socket getattr;
allow insights_core_t domain:smc_socket getattr;
allow insights_core_t domain:tcp_socket getattr;
allow insights_core_t domain:tipc_socket getattr;
allow insights_core_t domain:tun_socket getattr;
allow insights_core_t domain:udp_socket getattr;
allow insights_core_t domain:unix_dgram_socket getattr;
allow insights_core_t domain:unix_stream_socket { connectto getattr };
allow insights_core_t domain:vsock_socket getattr;
allow insights_core_t domain:x25_socket getattr;
allow insights_core_t domain:xdp_socket getattr;
allow iotop_t domain:dir { getattr ioctl lock open read search };
allow iotop_t domain:file { getattr ioctl lock open read };
allow iotop_t domain:lnk_file { getattr read };
allow iotop_t domain:process getsched;
allow iscsid_t domain:dir { getattr ioctl lock open read search };
allow iscsid_t domain:file { getattr ioctl lock open read };
allow iscsid_t domain:lnk_file { getattr read };
allow keepalived_t domain:dir { getattr ioctl lock open read search };
allow keepalived_t domain:file { getattr ioctl lock open read };
allow keepalived_t domain:lnk_file { getattr read };
allow keepalived_t domain:process getattr;
allow kernel_t domain:alg_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:appletalk_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:atmpvc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:atmsvc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ax25_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:bluetooth_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:caif_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:can_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:dccp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:decnet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:dir { getattr open search };
allow kernel_t domain:fd use;
allow kernel_t domain:icmp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ieee802154_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ipx_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:irda_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:isdn_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:iucv_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:kcm_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:llc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:mctp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_audit_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_connector_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_crypto_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_dnrt_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_fib_lookup_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_firewall_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_generic_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_ip6fw_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_iscsi_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_kobject_uevent_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_netfilter_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_nflog_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_rdma_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_route_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_scsitransport_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_selinux_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_tcpdiag_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_xfrm_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netrom_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:nfc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:packet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:phonet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:pppox_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:process signal;
allow kernel_t domain:qipcrtr_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rawip_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rds_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rose_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rxrpc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:sctp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:smc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tcp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tipc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tun_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:udp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:unix_dgram_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:unix_stream_socket { accept append bind connect connectto getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:vsock_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:x25_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:xdp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow keyutils_request_t domain:key { create read setattr view write };
allow ksmtuned_t domain:dir { getattr ioctl lock open read search };
allow ksmtuned_t domain:file { getattr ioctl lock open read };
allow ksmtuned_t domain:lnk_file { getattr read };
allow ktlshd_t domain:key { read view };
allow login_pgm domain:dir { getattr ioctl lock open read search };
allow login_pgm domain:file { getattr ioctl lock open read };
allow login_pgm domain:lnk_file { getattr read };
allow login_pgm domain:process sigkill;
allow logrotate_t domain:dir { getattr ioctl lock open read search };
allow logrotate_t domain:file { getattr ioctl lock open read };
allow logrotate_t domain:lnk_file { getattr read };
allow logrotate_t domain:process signal;
allow logwatch_t domain:dir { getattr ioctl lock open read search };
allow logwatch_t domain:file { getattr ioctl lock open read };
allow logwatch_t domain:lnk_file { getattr read };
allow mdadm_t domain:dir { getattr ioctl lock open read search };
allow mdadm_t domain:file { getattr ioctl lock open read };
allow mdadm_t domain:lnk_file { getattr read };
allow mock_t domain:dir { getattr ioctl lock open read search };
allow mock_t domain:file { getattr ioctl lock open read };
allow mock_t domain:lnk_file { getattr read };
allow mon_statd_domain domain:dir { getattr ioctl lock open read search };
allow mon_statd_domain domain:file { getattr ioctl lock open read };
allow mon_statd_domain domain:lnk_file { getattr read };
allow munin_t domain:dir { getattr ioctl lock open read search };
allow munin_t domain:file { getattr ioctl lock open read };
allow munin_t domain:lnk_file { getattr read };
allow mysqld_safe_t domain:dir { getattr ioctl lock open read search };
allow mysqld_safe_t domain:file { getattr ioctl lock open read };
allow mysqld_safe_t domain:lnk_file { getattr read };
allow mysqld_t domain:dir { getattr ioctl lock open read search };
allow mysqld_t domain:file { getattr ioctl lock open read };
allow mysqld_t domain:lnk_file { getattr read };
allow nagios_openshift_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_openshift_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_openshift_plugin_t domain:lnk_file { getattr read };
allow nagios_services_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_services_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_services_plugin_t domain:lnk_file { getattr read };
allow nagios_system_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_system_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_system_plugin_t domain:lnk_file { getattr read };
allow nagios_t domain:dir { getattr ioctl lock open read search };
allow nagios_t domain:file { getattr ioctl lock open read };
allow nagios_t domain:lnk_file { getattr read };
allow ncftool_t domain:dir { getattr ioctl lock open read search };
allow ncftool_t domain:file { getattr ioctl lock open read };
allow ncftool_t domain:lnk_file { getattr read };
allow neutron_t domain:dir { getattr ioctl lock open read search };
allow neutron_t domain:file { getattr ioctl lock open read };
allow neutron_t domain:lnk_file { getattr read };
allow nrpe_t domain:dir { getattr ioctl lock open read search };
allow nrpe_t domain:file { getattr ioctl lock open read };
allow nrpe_t domain:lnk_file { getattr read };
allow nscd_t domain:dir { getattr open search };
allow numad_t domain:dir { getattr ioctl lock open read search };
allow numad_t domain:file { getattr ioctl lock open read };
allow numad_t domain:lnk_file { getattr read };
allow numad_t domain:process { setsched signull };
allow passenger_t domain:dir { getattr ioctl lock open read search };
allow passenger_t domain:file { getattr ioctl lock open read };
allow passenger_t domain:lnk_file { getattr read };
allow pcp_pmcd_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmcd_t domain:file { getattr ioctl lock open read };
allow pcp_pmcd_t domain:lnk_file { getattr read };
allow pcp_pmcd_t domain:process getattr;
allow pcp_pmie_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmie_t domain:file { getattr ioctl lock open read };
allow pcp_pmie_t domain:lnk_file { getattr read };
allow pcp_pmlogger_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmlogger_t domain:file { getattr ioctl lock open read };
allow pcp_pmlogger_t domain:lnk_file { getattr read };
allow pcscd_t domain:dir { getattr ioctl lock open read search };
allow pcscd_t domain:file { getattr ioctl lock open read };
allow pcscd_t domain:lnk_file { getattr read };
allow pegasus_t domain:dir { getattr ioctl lock open read search };
allow pegasus_t domain:file { getattr ioctl lock open read };
allow pegasus_t domain:lnk_file { getattr read };
allow policykit_t domain:dir { getattr ioctl lock open read search };
allow policykit_t domain:file { getattr ioctl lock open read };
allow policykit_t domain:lnk_file { getattr read };
allow psad_t domain:dir { getattr ioctl lock open read search };
allow psad_t domain:file { getattr ioctl lock open read };
allow psad_t domain:lnk_file { getattr read };
allow puppetmaster_t domain:dir { getattr ioctl lock open read search };
allow puppetmaster_t domain:file { getattr ioctl lock open read };
allow puppetmaster_t domain:lnk_file { getattr read };
allow rabbitmq_t domain:dir { getattr ioctl lock open read search };
allow rabbitmq_t domain:file { getattr ioctl lock open read };
allow rabbitmq_t domain:lnk_file { getattr read };
allow racoon_t domain:association setcontext;
allow readahead_t domain:dir { getattr ioctl lock open read search };
allow readahead_t domain:file { getattr ioctl lock open read };
allow readahead_t domain:lnk_file { getattr read };
allow rhcd_t domain:alg_socket getattr;
allow rhcd_t domain:appletalk_socket getattr;
allow rhcd_t domain:atmpvc_socket getattr;
allow rhcd_t domain:atmsvc_socket getattr;
allow rhcd_t domain:ax25_socket getattr;
allow rhcd_t domain:bluetooth_socket getattr;
allow rhcd_t domain:caif_socket getattr;
allow rhcd_t domain:can_socket getattr;
allow rhcd_t domain:dccp_socket getattr;
allow rhcd_t domain:decnet_socket getattr;
allow rhcd_t domain:dir { getattr ioctl lock open read search };
allow rhcd_t domain:fifo_file getattr;
allow rhcd_t domain:file { getattr ioctl lock open read };
allow rhcd_t domain:icmp_socket getattr;
allow rhcd_t domain:ieee802154_socket getattr;
allow rhcd_t domain:ipx_socket getattr;
allow rhcd_t domain:irda_socket getattr;
allow rhcd_t domain:isdn_socket getattr;
allow rhcd_t domain:iucv_socket getattr;
allow rhcd_t domain:kcm_socket getattr;
allow rhcd_t domain:llc_socket getattr;
allow rhcd_t domain:lnk_file { getattr read };
allow rhcd_t domain:mctp_socket getattr;
allow rhcd_t domain:netlink_audit_socket getattr;
allow rhcd_t domain:netlink_connector_socket getattr;
allow rhcd_t domain:netlink_crypto_socket getattr;
allow rhcd_t domain:netlink_dnrt_socket getattr;
allow rhcd_t domain:netlink_fib_lookup_socket getattr;
allow rhcd_t domain:netlink_firewall_socket getattr;
allow rhcd_t domain:netlink_generic_socket getattr;
allow rhcd_t domain:netlink_ip6fw_socket getattr;
allow rhcd_t domain:netlink_iscsi_socket getattr;
allow rhcd_t domain:netlink_kobject_uevent_socket getattr;
allow rhcd_t domain:netlink_netfilter_socket getattr;
allow rhcd_t domain:netlink_nflog_socket getattr;
allow rhcd_t domain:netlink_rdma_socket getattr;
allow rhcd_t domain:netlink_route_socket getattr;
allow rhcd_t domain:netlink_scsitransport_socket getattr;
allow rhcd_t domain:netlink_selinux_socket getattr;
allow rhcd_t domain:netlink_socket getattr;
allow rhcd_t domain:netlink_tcpdiag_socket getattr;
allow rhcd_t domain:netlink_xfrm_socket getattr;
allow rhcd_t domain:netrom_socket getattr;
allow rhcd_t domain:nfc_socket getattr;
allow rhcd_t domain:packet_socket getattr;
allow rhcd_t domain:phonet_socket getattr;
allow rhcd_t domain:pppox_socket getattr;
allow rhcd_t domain:qipcrtr_socket getattr;
allow rhcd_t domain:rawip_socket getattr;
allow rhcd_t domain:rds_socket getattr;
allow rhcd_t domain:rose_socket getattr;
allow rhcd_t domain:rxrpc_socket getattr;
allow rhcd_t domain:sctp_socket getattr;
allow rhcd_t domain:smc_socket getattr;
allow rhcd_t domain:tcp_socket getattr;
allow rhcd_t domain:tipc_socket getattr;
allow rhcd_t domain:tun_socket getattr;
allow rhcd_t domain:udp_socket getattr;
allow rhcd_t domain:unix_dgram_socket getattr;
allow rhcd_t domain:unix_stream_socket getattr;
allow rhcd_t domain:vsock_socket getattr;
allow rhcd_t domain:x25_socket getattr;
allow rhcd_t domain:xdp_socket getattr;
allow rhsmcertd_t domain:dir { getattr ioctl lock open read search };
allow rhsmcertd_t domain:file { getattr ioctl lock open read };
allow rhsmcertd_t domain:lnk_file { getattr read };
allow rhsmcertd_t domain:process signull;
allow ricci_modcluster_t domain:dir { getattr ioctl lock open read search };
allow ricci_modcluster_t domain:file { getattr ioctl lock open read };
allow ricci_modcluster_t domain:lnk_file { getattr read };
allow ricci_modclusterd_t domain:dir { getattr ioctl lock open read search };
allow ricci_modclusterd_t domain:file { getattr ioctl lock open read };
allow ricci_modclusterd_t domain:lnk_file { getattr read };
allow ricci_modlog_t domain:dir { getattr ioctl lock open read search };
allow ricci_modlog_t domain:file { getattr ioctl lock open read };
allow ricci_modlog_t domain:lnk_file { getattr read };
allow ricci_modstorage_t domain:dir { getattr ioctl lock open read search };
allow ricci_modstorage_t domain:file { getattr ioctl lock open read };
allow ricci_modstorage_t domain:lnk_file { getattr read };
allow ricci_t domain:dir { getattr ioctl lock open read search };
allow ricci_t domain:file { getattr ioctl lock open read };
allow ricci_t domain:lnk_file { getattr read };
allow rtkit_daemon_t domain:dir { getattr ioctl lock open read search };
allow rtkit_daemon_t domain:file { getattr ioctl lock open read };
allow rtkit_daemon_t domain:lnk_file { getattr read };
allow rtkit_daemon_t domain:process getsched;
allow sbd_t domain:dir { getattr ioctl lock open read search };
allow sbd_t domain:file { getattr ioctl lock open read };
allow sbd_t domain:lnk_file { getattr read };
allow sblim_gatherd_t domain:dir { getattr ioctl lock open read search };
allow sblim_gatherd_t domain:file { getattr ioctl lock open read };
allow sblim_gatherd_t domain:lnk_file { getattr read };
allow sblim_sfcbd_t domain:dir { getattr ioctl lock open read search };
allow sblim_sfcbd_t domain:file { getattr ioctl lock open read };
allow sblim_sfcbd_t domain:lnk_file { getattr read };
allow screen_domain domain:dir { getattr ioctl lock open read search };
allow screen_domain domain:file { getattr ioctl lock open read };
allow screen_domain domain:lnk_file { getattr read };
allow sectoolm_t domain:dir { getattr ioctl lock open read search };
allow sectoolm_t domain:file { getattr ioctl lock open read };
allow sectoolm_t domain:lnk_file { getattr read };
allow sectoolm_t domain:process getattr;
allow session_bus_type domain:dir { getattr ioctl lock open read search };
allow session_bus_type domain:file { getattr ioctl lock open read };
allow session_bus_type domain:lnk_file { getattr read };
allow setfiles_domain domain:blk_file { getattr relabelfrom };
allow setfiles_domain domain:chr_file { getattr relabelfrom };
allow setfiles_domain domain:dir { getattr ioctl lock open read relabelfrom search };
allow setfiles_domain domain:fifo_file { getattr relabelfrom };
allow setfiles_domain domain:file { getattr ioctl lock open read relabelfrom };
allow setfiles_domain domain:lnk_file { getattr read relabelfrom };
allow setfiles_domain domain:sock_file { getattr relabelfrom };
allow setkey_t domain:association setcontext;
allow setrans_t domain:dir { getattr ioctl lock open read search };
allow setrans_t domain:file { getattr ioctl lock open read };
allow setrans_t domain:lnk_file { getattr read };
allow setrans_t domain:process { getattr getsession };
allow setroubleshootd_t domain:dir { getattr ioctl lock open read search };
allow setroubleshootd_t domain:file { getattr ioctl lock open read };
allow setroubleshootd_t domain:lnk_file { getattr read };
allow setroubleshootd_t domain:process signull;
allow shorewall_t domain:dir { getattr ioctl lock open read search };
allow shorewall_t domain:file { getattr ioctl lock open read };
allow shorewall_t domain:lnk_file { getattr read };
allow snapperd_t domain:dir { getattr ioctl lock open read search };
allow snapperd_t domain:file { getattr ioctl lock open read };
allow snapperd_t domain:lnk_file { getattr read };
allow snmpd_t domain:dir { getattr ioctl lock open read search };
allow snmpd_t domain:file { getattr ioctl lock open read };
allow snmpd_t domain:lnk_file { getattr read };
allow snmpd_t domain:process signull;
allow spamd_update_t domain:dir { getattr ioctl lock open read search };
allow spamd_update_t domain:file { getattr ioctl lock open read };
allow spamd_update_t domain:lnk_file { getattr read };
allow spc_t domain:process { ptrace transition };
allow sshd_t svirt_sandbox_domain:process { getattr sigchld signal signull sigstop transition };
allow sshd_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow sshd_t svirt_sandbox_domain:unix_stream_socket connectto;
allow sssd_t domain:dir { getattr ioctl lock open read search };
allow sssd_t domain:file { getattr ioctl lock open read };
allow sssd_t domain:lnk_file { getattr read };
allow staff_t container_domain:process { sigchld sigkill signal signull sigstop };
allow staff_t domain:dir { getattr ioctl lock open read search };
allow staff_t domain:file { getattr ioctl lock open read };
allow staff_t domain:lnk_file { getattr read };
allow staff_t domain:process { getattr getcap getsched };
allow stalld_t domain:dir { getattr ioctl lock open read search };
allow stalld_t domain:file { getattr ioctl lock open read };
allow stalld_t domain:lnk_file { getattr read };
allow stalld_t domain:process { getsched setsched };
allow stapserver_t domain:dir { getattr ioctl lock open read search };
allow stapserver_t domain:file { getattr ioctl lock open read };
allow stapserver_t domain:lnk_file { getattr read };
allow sysadm_t domain:alg_socket getattr;
allow sysadm_t domain:appletalk_socket getattr;
allow sysadm_t domain:atmpvc_socket getattr;
allow sysadm_t domain:atmsvc_socket getattr;
allow sysadm_t domain:ax25_socket getattr;
allow sysadm_t domain:bluetooth_socket getattr;
allow sysadm_t domain:caif_socket getattr;
allow sysadm_t domain:can_socket getattr;
allow sysadm_t domain:dccp_socket getattr;
allow sysadm_t domain:decnet_socket getattr;
allow sysadm_t domain:dir { getattr ioctl lock open read search };
allow sysadm_t domain:file { getattr ioctl lock open read };
allow sysadm_t domain:icmp_socket getattr;
allow sysadm_t domain:ieee802154_socket getattr;
allow sysadm_t domain:ipx_socket getattr;
allow sysadm_t domain:irda_socket getattr;
allow sysadm_t domain:isdn_socket getattr;
allow sysadm_t domain:iucv_socket getattr;
allow sysadm_t domain:kcm_socket getattr;
allow sysadm_t domain:key { read view };
allow sysadm_t domain:llc_socket getattr;
allow sysadm_t domain:lnk_file { getattr read };
allow sysadm_t domain:mctp_socket getattr;
allow sysadm_t domain:netlink_audit_socket getattr;
allow sysadm_t domain:netlink_connector_socket getattr;
allow sysadm_t domain:netlink_crypto_socket getattr;
allow sysadm_t domain:netlink_dnrt_socket getattr;
allow sysadm_t domain:netlink_fib_lookup_socket getattr;
allow sysadm_t domain:netlink_firewall_socket getattr;
allow sysadm_t domain:netlink_generic_socket getattr;
allow sysadm_t domain:netlink_ip6fw_socket getattr;
allow sysadm_t domain:netlink_iscsi_socket getattr;
allow sysadm_t domain:netlink_kobject_uevent_socket getattr;
allow sysadm_t domain:netlink_netfilter_socket getattr;
allow sysadm_t domain:netlink_nflog_socket getattr;
allow sysadm_t domain:netlink_rdma_socket getattr;
allow sysadm_t domain:netlink_route_socket getattr;
allow sysadm_t domain:netlink_scsitransport_socket getattr;
allow sysadm_t domain:netlink_selinux_socket getattr;
allow sysadm_t domain:netlink_socket getattr;
allow sysadm_t domain:netlink_tcpdiag_socket getattr;
allow sysadm_t domain:netlink_xfrm_socket getattr;
allow sysadm_t domain:netrom_socket getattr;
allow sysadm_t domain:nfc_socket getattr;
allow sysadm_t domain:packet_socket getattr;
allow sysadm_t domain:phonet_socket getattr;
allow sysadm_t domain:pppox_socket getattr;
allow sysadm_t domain:process ptrace; [ deny_ptrace ]:False
allow sysadm_t domain:process { getattr getcap setsched sigchld sigkill signal signull sigstop };
allow sysadm_t domain:qipcrtr_socket getattr;
allow sysadm_t domain:rawip_socket getattr;
allow sysadm_t domain:rds_socket getattr;
allow sysadm_t domain:rose_socket getattr;
allow sysadm_t domain:rxrpc_socket getattr;
allow sysadm_t domain:sctp_socket getattr;
allow sysadm_t domain:smc_socket getattr;
allow sysadm_t domain:tcp_socket getattr;
allow sysadm_t domain:tipc_socket getattr;
allow sysadm_t domain:tun_socket getattr;
allow sysadm_t domain:udp_socket getattr;
allow sysadm_t domain:unix_dgram_socket getattr;
allow sysadm_t domain:unix_stream_socket getattr;
allow sysadm_t domain:vsock_socket getattr;
allow sysadm_t domain:x25_socket getattr;
allow sysadm_t domain:xdp_socket getattr;
allow sysadm_t svirt_sandbox_domain:process transition;
allow sysadm_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow syslogd_t domain:dir { getattr ioctl lock open read search };
allow syslogd_t domain:file { getattr ioctl lock open read };
allow syslogd_t domain:lnk_file { getattr read };
allow syslogd_t domain:process { getattr signull };
allow system_dbusd_t domain:dir { getattr ioctl lock open read search };
allow system_dbusd_t domain:file { getattr ioctl lock open read };
allow system_dbusd_t domain:lnk_file { getattr read };
allow system_munin_plugin_t domain:dir { getattr ioctl lock open read search };
allow system_munin_plugin_t domain:file { getattr ioctl lock open read };
allow system_munin_plugin_t domain:lnk_file { getattr read };
allow systemd_bootchart_t domain:dir { getattr ioctl lock open read search };
allow systemd_bootchart_t domain:file { getattr ioctl lock open read };
allow systemd_bootchart_t domain:lnk_file { getattr read };
allow systemd_coredump_t domain:dir { getattr ioctl lock open read search };
allow systemd_coredump_t domain:file { getattr ioctl lock open read };
allow systemd_coredump_t domain:lnk_file { getattr read };
allow systemd_homework_t domain:key { create read setattr view write };
allow systemd_logind_t container_domain:dbus send_msg;
allow systemd_logind_t container_domain:process getattr;
allow systemd_logind_t domain:dir { getattr ioctl lock open read search };
allow systemd_logind_t domain:file { getattr ioctl lock open read };
allow systemd_logind_t domain:lnk_file { getattr read };
allow systemd_logind_t domain:process { sigkill signal signull };
allow systemd_logind_t domain:sem destroy;
allow systemd_logind_t sandbox_net_domain:dbus send_msg;
allow systemd_logind_t sandbox_net_domain:process getattr;
allow systemd_machined_t domain:process { signal signull };
allow systemd_machined_t svirt_sandbox_domain:dir { getattr ioctl lock open read search };
allow systemd_machined_t svirt_sandbox_domain:file { getattr ioctl lock open read };
allow systemd_machined_t svirt_sandbox_domain:lnk_file { getattr read };
allow systemd_machined_t svirt_sandbox_domain:process getattr;
allow systemd_machined_t svirt_sandbox_domain:unix_stream_socket connectto;
allow systemd_passwd_agent_t domain:dir { getattr ioctl lock open read search };
allow systemd_passwd_agent_t domain:file { getattr ioctl lock open read };
allow systemd_passwd_agent_t domain:lnk_file { getattr read };
allow systemd_resolved_t domain:dbus send_msg;
allow systemd_resolved_t domain:dir { getattr ioctl lock open read search };
allow systemd_resolved_t domain:file { getattr ioctl lock open read };
allow systemd_resolved_t domain:lnk_file { getattr read };
allow systemd_resolved_t domain:process getattr;
allow tmpreaper_t domain:alg_socket getattr;
allow tmpreaper_t domain:appletalk_socket getattr;
allow tmpreaper_t domain:atmpvc_socket getattr;
allow tmpreaper_t domain:atmsvc_socket getattr;
allow tmpreaper_t domain:ax25_socket getattr;
allow tmpreaper_t domain:bluetooth_socket getattr;
allow tmpreaper_t domain:caif_socket getattr;
allow tmpreaper_t domain:can_socket getattr;
allow tmpreaper_t domain:dccp_socket getattr;
allow tmpreaper_t domain:decnet_socket getattr;
allow tmpreaper_t domain:dir { getattr ioctl lock open read search };
allow tmpreaper_t domain:fifo_file getattr;
allow tmpreaper_t domain:file { getattr ioctl lock open read };
allow tmpreaper_t domain:icmp_socket getattr;
allow tmpreaper_t domain:ieee802154_socket getattr;
allow tmpreaper_t domain:ipx_socket getattr;
allow tmpreaper_t domain:irda_socket getattr;
allow tmpreaper_t domain:isdn_socket getattr;
allow tmpreaper_t domain:iucv_socket getattr;
allow tmpreaper_t domain:kcm_socket getattr;
allow tmpreaper_t domain:llc_socket getattr;
allow tmpreaper_t domain:lnk_file { getattr read };
allow tmpreaper_t domain:mctp_socket getattr;
allow tmpreaper_t domain:netlink_audit_socket getattr;
allow tmpreaper_t domain:netlink_connector_socket getattr;
allow tmpreaper_t domain:netlink_crypto_socket getattr;
allow tmpreaper_t domain:netlink_dnrt_socket getattr;
allow tmpreaper_t domain:netlink_fib_lookup_socket getattr;
allow tmpreaper_t domain:netlink_firewall_socket getattr;
allow tmpreaper_t domain:netlink_generic_socket getattr;
allow tmpreaper_t domain:netlink_ip6fw_socket getattr;
allow tmpreaper_t domain:netlink_iscsi_socket getattr;
allow tmpreaper_t domain:netlink_kobject_uevent_socket getattr;
allow tmpreaper_t domain:netlink_netfilter_socket getattr;
allow tmpreaper_t domain:netlink_nflog_socket getattr;
allow tmpreaper_t domain:netlink_rdma_socket getattr;
allow tmpreaper_t domain:netlink_route_socket getattr;
allow tmpreaper_t domain:netlink_scsitransport_socket getattr;
allow tmpreaper_t domain:netlink_selinux_socket getattr;
allow tmpreaper_t domain:netlink_socket getattr;
allow tmpreaper_t domain:netlink_tcpdiag_socket getattr;
allow tmpreaper_t domain:netlink_xfrm_socket getattr;
allow tmpreaper_t domain:netrom_socket getattr;
allow tmpreaper_t domain:nfc_socket getattr;
allow tmpreaper_t domain:packet_socket getattr;
allow tmpreaper_t domain:phonet_socket getattr;
allow tmpreaper_t domain:pppox_socket getattr;
allow tmpreaper_t domain:qipcrtr_socket getattr;
allow tmpreaper_t domain:rawip_socket getattr;
allow tmpreaper_t domain:rds_socket getattr;
allow tmpreaper_t domain:rose_socket getattr;
allow tmpreaper_t domain:rxrpc_socket getattr;
allow tmpreaper_t domain:sctp_socket getattr;
allow tmpreaper_t domain:smc_socket getattr;
allow tmpreaper_t domain:tcp_socket getattr;
allow tmpreaper_t domain:tipc_socket getattr;
allow tmpreaper_t domain:tun_socket getattr;
allow tmpreaper_t domain:udp_socket getattr;
allow tmpreaper_t domain:unix_dgram_socket getattr;
allow tmpreaper_t domain:unix_stream_socket getattr;
allow tmpreaper_t domain:vsock_socket getattr;
allow tmpreaper_t domain:x25_socket getattr;
allow tmpreaper_t domain:xdp_socket getattr;
allow unconfined_domain_type container_domain:process { dyntransition transition };
allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition };
allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:appletalk_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:association recvfrom;
allow unconfined_domain_type domain:atmpvc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:atmsvc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:ax25_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:bluetooth_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
allow unconfined_domain_type domain:caif_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:can_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:dccp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind name_connect node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:decnet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:dir { getattr ioctl lock open read search watch };
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file { append getattr ioctl lock open read write };
allow unconfined_domain_type domain:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow unconfined_domain_type domain:icmp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:ieee802154_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:io_uring { cmd override_creds };
allow unconfined_domain_type domain:ipx_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:irda_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:isdn_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:iucv_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:kcm_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:key { create read setattr view write };
allow unconfined_domain_type domain:key_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:llc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:lnk_file { getattr ioctl lock read };
allow unconfined_domain_type domain:mctp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:msg { receive send };
allow unconfined_domain_type domain:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow unconfined_domain_type domain:netlink_audit_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_connector_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_generic_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_route_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netrom_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:nfc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:packet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:peer recv;
allow unconfined_domain_type domain:perf_event { read write };
allow unconfined_domain_type domain:phonet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:pppox_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop };
allow unconfined_domain_type domain:qipcrtr_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rds_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rose_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rxrpc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:sctp_socket { accept append association bind connect create getattr getopt ioctl listen lock map name_bind name_connect node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow unconfined_domain_type domain:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow unconfined_domain_type domain:smc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
allow unconfined_domain_type domain:tcp_socket { accept acceptfrom append bind connect connectto create getattr getopt ioctl listen lock map name_bind name_connect newconn node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:tipc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:udp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:unix_dgram_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:unix_stream_socket { accept acceptfrom append bind connect connectto create getattr getopt ioctl listen lock map name_bind newconn read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:vsock_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:x25_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:xdp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_t domain:process dyntransition; [ unconfined_dyntrans_all ]:True
allow unconfined_t domain:process transition;
allow useradd_t domain:dir { getattr ioctl lock open read search };
allow useradd_t domain:file { getattr ioctl lock open read };
allow useradd_t domain:lnk_file { getattr read };
allow userdomain container_domain:process transition;
allow virsh_t svirt_sandbox_domain:dir { getattr ioctl lock open read search };
allow virsh_t svirt_sandbox_domain:file { getattr ioctl lock open read };
allow virsh_t svirt_sandbox_domain:lnk_file { getattr read };
allow virsh_t svirt_sandbox_domain:process { getattr sigchld sigkill signal signull sigstop transition };
allow virsh_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow virtd_lxc_t svirt_sandbox_domain:process transition;
allow virtd_t svirt_sandbox_domain:process transition;
allow vmtools_unconfined_t domain:dbus send_msg;
allow watchdog_t domain:process { getsession sigchld sigkill signal signull sigstop };
allow zabbix_agent_t domain:dir { getattr ioctl lock open read search };
allow zabbix_agent_t domain:file { getattr ioctl lock open read };
allow zabbix_agent_t domain:lnk_file { getattr read };
allow zoneminder_t domain:dir { getattr ioctl lock open read search };
allow zoneminder_t domain:file { getattr ioctl lock open read };
allow zoneminder_t domain:lnk_file { getattr read };
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] secilc: Add test for attribute assignment to attributes
2025-06-23 19:24 ` Vit Mojzis
@ 2025-07-16 14:16 ` Vit Mojzis
2025-08-04 17:03 ` [PATCH v2] " Vit Mojzis
0 siblings, 1 reply; 8+ messages in thread
From: Vit Mojzis @ 2025-07-16 14:16 UTC (permalink / raw)
To: selinux
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
I played around with the functionality in CIL and if setools is to be
believed, it seems like the attribute being assigned to another
attribute always gets expanded. Meaning that in the kernel binary policy
there are no attributes with attributes, just types assigned to
attributes.
The functionality overall seems robust and even corner cases like
a circular assignment, or roletype statements are handled properly.
In [1], I tried replacing types with proxy attributes in order to have a
more complex example (interface calls, transition over multiple
attributes, etc.). The policy translates properly to CIL and seems to be
enforced as expected.
Please let me know if there is a use case you'd like to see tested.
[1] https://github.com/SELinuxProject/selinux-testsuite/pull/102
secilc/test/attribute_assignment_test.cil | 67 +++++++++++++++++++++++
1 file changed, 67 insertions(+)
create mode 100644 secilc/test/attribute_assignment_test.cil
diff --git a/secilc/test/attribute_assignment_test.cil b/secilc/test/attribute_assignment_test.cil
new file mode 100644
index 00000000..f8306cee
--- /dev/null
+++ b/secilc/test/attribute_assignment_test.cil
@@ -0,0 +1,67 @@
+(typeattribute a)
+(typeattribute b)
+(typeattribute c)
+(typeattribute d)
+(typeattribute e)
+(typeattribute f)
+(typeattribute g)
+
+(type ta)
+(type tb)
+(type tc)
+(type td)
+(type te)
+(type tf)
+
+(role rr)
+
+; Basic attribute assignment
+(typeattributeset a b)
+
+; Assignment with types
+(typeattributeset b (ta tb))
+(typeattributeset a b)
+; Expected: a includes both ta and tb as members via b
+; seinfo -xa a
+
+; Chained attribute assignment
+(typeattributeset a b)
+(typeattributeset c tc)
+(typeattributeset b c)
+; Expected: a includes tc via b and c
+; seinfo -xa a
+
+; roletype assignment via chained attributes (tc -> c -> b -> a)
+(typeattributeset a b)
+(typeattributeset c tc)
+(typeattributeset b c)
+(roletype rr c)
+; Expected: tc is assigned to role rr
+; seinfo -xr rr
+
+; Multiple attributes/types assigned
+(typeattributeset d td)
+(typeattributeset e td)
+(typeattributeset f (te tf))
+(typeattributeset g (d e f tc))
+; Expected: g includes tc, td via both b and c, and te and tf via f
+; seinfo -xa g
+
+; Cyclic assignment
+(typeattributeset a b)
+(typeattributeset b c)
+; (typeattributeset c a)
+; Expected: ^^^ Should exit with error
+; Self-reference found for a at <test file>:38
+
+; Allow each attribute some access so that they don't get optimized out
+(allow a a (dir (getattr)))
+(allow b b (dir (open)))
+(allow c c (dir (search)))
+(allow d d (dir (search)))
+(allow e e (dir (search)))
+(allow f f (dir (getattr search open)))
+(allow g g (dir (open)))
+; Expected: ta is assigned to "a" and "b", while tc is assigned to "a", "b", "c" and "g" and so are assigned permissions accordingly
+; sesearch -A -s ta
+; sesearch -A -s tc
--
2.49.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v2] secilc: Add test for attribute assignment to attributes
2025-07-16 14:16 ` [PATCH] secilc: Add test for " Vit Mojzis
@ 2025-08-04 17:03 ` Vit Mojzis
0 siblings, 0 replies; 8+ messages in thread
From: Vit Mojzis @ 2025-08-04 17:03 UTC (permalink / raw)
To: selinux
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
Added a deny rule to the mix, which also behaves as expected.
To be honest, I gave up on more complex examples with deny rules, since
they quickly become hard to understand (but at least never caused a
compilation error for me).
Please let me know if there is a use case you'd like to see tested.
secilc/test/attribute_assignment_test.cil | 79 +++++++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 secilc/test/attribute_assignment_test.cil
diff --git a/secilc/test/attribute_assignment_test.cil b/secilc/test/attribute_assignment_test.cil
new file mode 100644
index 00000000..dde3be5e
--- /dev/null
+++ b/secilc/test/attribute_assignment_test.cil
@@ -0,0 +1,79 @@
+(typeattribute a)
+(typeattribute b)
+(typeattribute c)
+(typeattribute d)
+(typeattribute e)
+(typeattribute f)
+(typeattribute g)
+
+(type ta)
+(type tb)
+(type tc)
+(type td)
+(type te)
+(type tf)
+(type tg)
+
+(role rr)
+
+; Basic attribute assignment
+(typeattributeset a b)
+
+; Assignment with types
+(typeattributeset b (ta tb))
+(typeattributeset a b)
+; Expected: a includes both ta and tb as members via b
+; seinfo -xa a
+
+; Chained attribute assignment
+(typeattributeset a b)
+(typeattributeset c tc)
+(typeattributeset b c)
+; Expected: a includes tc via b and c
+; seinfo -xa a
+
+; roletype assignment via chained attributes (tc -> c -> b -> a)
+(typeattributeset a b)
+(typeattributeset c tc)
+(typeattributeset b c)
+(roletype rr c)
+; Expected: tc is assigned to role rr
+; seinfo -xr rr
+
+; Multiple attributes/types assigned
+(typeattributeset d td)
+(typeattributeset e td)
+(typeattributeset f (te tf))
+(typeattributeset g (d e f tc))
+; Expected: g includes tc, td via both b and c, and te and tf via f
+; seinfo -xa g
+
+; Cyclic assignment
+(typeattributeset a b)
+(typeattributeset b c)
+; (typeattributeset c a)
+; Expected: ^^^ Should exit with error
+; Self-reference found for a at <test file>:38
+
+; Allow each attribute some access so that they don't get optimized out
+(allow a a (dir (getattr)))
+(allow b b (dir (open)))
+(allow c c (dir (search)))
+(allow d d (dir (search)))
+(allow e e (dir (search)))
+(allow f f (dir (open)))
+(allow g g (dir (getattr search open)))
+; Expected: ta is assigned to "a" and "b", while tc is assigned to "a", "b", "c" and "g" and so are assigned permissions accordingly
+; sesearch -A -s ta
+; sesearch -A -s tc
+
+; Deny rule
+(deny f g (dir (open)))
+(typeattributeset g tg)
+; Expected: tg (assigned to g) is allowed "getattr", "search" and "open" access to g,
+; while tf (assigned to both g and f) is only allowed "getattr" and "search"
+; sesearch -A -s tf
+; sesearch -A -s tg
+; ^^^ the "open" access is assigned via a new attribute deny_rule_attr_XXXX,
+; which is assigned types in "g", but not in "f" -- tc, td and tg
+; seinfo -xa deny_rule_attr_XXXX
\ No newline at end of file
--
2.49.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-08-04 17:10 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-23 10:25 [PATCH] checkpolicy: Allow attribute assignment to attributes Vit Mojzis
2025-06-23 10:56 ` Christian Göttsche
2025-06-23 11:28 ` Vit Mojzis
2025-06-23 18:06 ` James Carter
2025-06-23 18:21 ` James Carter
2025-06-23 19:24 ` Vit Mojzis
2025-07-16 14:16 ` [PATCH] secilc: Add test for " Vit Mojzis
2025-08-04 17:03 ` [PATCH v2] " Vit Mojzis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).