$ sesearch -A -s container_t 

allow container_domain bpf_t:dir { add_name ioctl lock read remove_name write };
allow container_domain bpf_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_domain cert_type:dir { ioctl lock read }; [ container_read_certs ]:True
allow container_domain cert_type:file { getattr ioctl lock open read }; [ container_read_certs ]:True
allow container_domain cert_type:lnk_file { getattr read }; [ container_read_certs ]:True
allow container_domain cgroup_t:dir { create link rename reparent rmdir setattr unlink watch watch_reads }; [ container_manage_cgroup ]:True
allow container_domain cgroup_t:dir { ioctl lock mounton read };
allow container_domain cgroup_t:filesystem unmount;
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { append create link rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { getattr ioctl lock open read };
allow container_domain cgroup_type:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:lnk_file { getattr read };
allow container_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow container_domain cifs_t:file execmod; [ virt_use_samba ]:True
allow container_domain cifs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_samba ]:True
allow container_domain cifs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow container_domain console_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain container_devpts_t:chr_file open;
allow container_domain container_file_t:file entrypoint;
allow container_domain container_ro_file_t:dir { ioctl lock read };
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_ro_file_t:lnk_file { getattr read };
allow container_domain container_runtime_domain:alg_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:appletalk_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmpvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmsvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ax25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:bluetooth_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:caif_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:can_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:dccp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:decnet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:fd use;
allow container_domain container_runtime_domain:icmp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ieee802154_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ipx_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:irda_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:isdn_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:iucv_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:kcm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:llc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:mctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_audit_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_connector_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_crypto_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_dnrt_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_firewall_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_generic_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_iscsi_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_netfilter_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_nflog_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_rdma_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_route_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_selinux_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_xfrm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netrom_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:nfc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:packet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:phonet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:pppox_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:process sigchld;
allow container_domain container_runtime_domain:qipcrtr_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rawip_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rds_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rose_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rxrpc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:sctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:smc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tcp_socket { accept append getattr getopt ioctl lock map read recv_msg send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tipc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tun_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom relabelfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:udp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_dgram_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_stream_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:vsock_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:x25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:xdp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_tmpfs_t:dir mounton;
allow container_domain container_runtime_tmpfs_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow container_domain container_var_lib_t:file entrypoint;
allow container_domain device_node:blk_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain device_node:chr_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain devpts_t:chr_file { append getattr ioctl lock read write };
allow container_domain dri_device_t:chr_file map; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file open; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ecryptfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file execmod; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain file_type:dir { getattr open search };
allow container_domain file_type:filesystem getattr;
allow container_domain filesystem_type:filesystem getattr;
allow container_domain fs_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { getattr open search }; [ container_use_cephfs ]:True
allow container_domain fs_t:file execmod; [ container_use_cephfs ]:True
allow container_domain fs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_cephfs ]:True
allow container_domain fs_t:filesystem { mount remount unmount };
allow container_domain fs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fuse_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain fusefs_t:dir { add_name create ioctl link lock mounton read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow container_domain fusefs_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:filesystem { mount remount unmount };
allow container_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain gssproxy_t:unix_stream_socket connectto;
allow container_domain gssproxy_var_lib_t:sock_file { append getattr open write };
allow container_domain gssproxy_var_run_t:sock_file { append getattr open write };
allow container_domain hugetlbfs_t:dir { add_name ioctl lock read remove_name write };
allow container_domain hugetlbfs_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };
allow container_domain init_t:alg_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:appletalk_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmpvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmsvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ax25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:bluetooth_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:caif_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:can_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:dccp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:decnet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:icmp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ieee802154_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ipx_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:irda_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:isdn_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:iucv_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:kcm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:llc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:mctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_audit_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_connector_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_crypto_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_dnrt_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_firewall_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_generic_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_iscsi_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_netfilter_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_nflog_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_rdma_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_route_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_selinux_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_xfrm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netrom_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:nfc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:packet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:phonet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:pppox_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:qipcrtr_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rawip_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rds_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rose_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rxrpc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:sctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:smc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tcp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tipc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tun_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:udp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_dgram_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_stream_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:vsock_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:x25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:xdp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain kernel_t:system ipc_info;
allow container_domain kvm_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain modules_object_t:dir { ioctl lock read };
allow container_domain modules_object_t:file { getattr ioctl lock open read };
allow container_domain modules_object_t:lnk_file { getattr read };
allow container_domain mtrr_device_t:chr_file { getattr ioctl lock open read };
allow container_domain mtrr_device_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:dir { ioctl lock read };
allow container_domain net_conf_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:lnk_file { getattr read };
allow container_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file execmod; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow container_domain nfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow container_domain nsfs_t:file { getattr ioctl lock open read };
allow container_domain nsfs_t:filesystem unmount;
allow container_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow container_domain proc_net_t:file { ioctl lock open read };
allow container_domain proc_net_t:lnk_file { getattr read };
allow container_domain proc_type:dir { getattr ioctl lock mounton open read search };
allow container_domain proc_type:file { getattr mounton };
allow container_domain ptynode:chr_file { append getattr ioctl lock read write };
allow container_domain random_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain rpm_var_cache_t:dir { ioctl lock read };
allow container_domain rpm_var_cache_t:file { getattr ioctl lock open read };
allow container_domain rpm_var_cache_t:lnk_file { getattr read };
allow container_domain rpm_var_lib_t:dir { ioctl lock read };
allow container_domain rpm_var_lib_t:file { getattr ioctl lock map open read };
allow container_domain rpm_var_lib_t:lnk_file { getattr read };
allow container_domain spc_t:unix_stream_socket { read write };
allow container_domain sssd_t:unix_stream_socket connectto;
allow container_domain sssd_var_lib_t:sock_file { append getattr open write };
allow container_domain sysctl_kernel_ns_last_pid_t:file { append write };
allow container_domain sysctl_net_t:file { append write };
allow container_domain sysctl_net_t:lnk_file { getattr read };
allow container_domain sysctl_net_unix_t:file { append write };
allow container_domain sysctl_rpc_t:file { append write };
allow container_domain sysctl_type:dir { getattr ioctl lock open read search };
allow container_domain sysctl_type:file { getattr ioctl lock open read };
allow container_domain sysfs_t:dir { ioctl lock read watch };
allow container_domain sysfs_t:file { getattr ioctl lock open read };
allow container_domain sysfs_t:lnk_file { getattr read };
allow container_domain systemd_logind_t:dbus send_msg;
allow container_domain systemd_logind_t:fd use;
allow container_domain tmpfs_t:file { append getattr ioctl lock read write };
allow container_domain tmpfs_t:filesystem { mount unmount };
allow container_domain tmpfs_t:lnk_file { getattr read };
allow container_domain tty_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ttynode:chr_file { append getattr ioctl lock read write };
allow container_domain unconfined_domain_type:fifo_file { append getattr ioctl lock map open read write };
allow container_domain urandom_device_t:chr_file { append write };
allow container_domain user_devpts_t:chr_file open;
allow container_domain userdomain:alg_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:appletalk_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmpvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmsvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ax25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:bluetooth_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:caif_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:can_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:dccp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:decnet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:fifo_file { append getattr ioctl lock read write };
allow container_domain userdomain:icmp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ieee802154_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ipx_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:irda_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:isdn_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:iucv_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:kcm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:llc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:mctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_audit_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_connector_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_crypto_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_dnrt_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_firewall_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_generic_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_iscsi_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_netfilter_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_nflog_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_rdma_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_route_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_selinux_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_xfrm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netrom_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:nfc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:packet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:phonet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:pppox_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:qipcrtr_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rawip_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rds_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rose_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rxrpc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:sctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:smc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tcp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tipc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tun_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:udp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_dgram_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_stream_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:vsock_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:x25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:xdp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain zero_device_t:chr_file execute;
allow container_net_domain node_t:rawip_socket node_bind;
allow container_net_domain node_t:tcp_socket node_bind;
allow container_net_domain node_t:udp_socket node_bind;
allow container_net_domain port_type:sctp_socket { name_bind name_connect };
allow container_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow container_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow container_t container_file_t:blk_file { map relabelfrom relabelto };
allow container_t container_file_t:chr_file { execute map relabelfrom relabelto watch watch_reads };
allow container_t container_file_t:dir map;
allow container_t container_file_t:fifo_file { map relabelfrom relabelto };
allow container_t container_file_t:filesystem { mount unmount };
allow container_t container_file_t:lnk_file { map relabelfrom relabelto };
allow container_t container_file_t:sock_file { map relabelfrom relabelto };
allow container_t container_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:association sendto;
allow container_t container_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow container_t container_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow container_t container_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow container_t container_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:dir { getattr ioctl lock open read search watch };
allow container_t container_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_t container_t:file { append getattr ioctl lock open read write };
allow container_t container_t:filesystem associate;
allow container_t container_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:key { create read setattr view write };
allow container_t container_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:lnk_file { getattr ioctl lock open read setattr };
allow container_t container_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:msg { receive send };
allow container_t container_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow container_t container_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow container_t container_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow container_t container_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:passwd rootok;
allow container_t container_t:peer recv;
allow container_t container_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow container_t container_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow container_t container_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow container_t container_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow container_t container_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow container_t container_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow container_t container_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow container_t container_t:user_namespace create;
allow container_t container_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t proc_t:filesystem remount;
allow container_t proc_type:file { ioctl lock open read };
allow container_t sysfs_t:dir mounton;
allow container_t xserver_misc_device_t:chr_file getattr; [ container_use_xserver_devices ]:True
allow container_t xserver_misc_device_t:chr_file map; [ container_use_xserver_devices ]:True
allow container_t xserver_misc_device_t:chr_file { append getattr ioctl lock open read write }; [ container_use_xserver_devices ]:True
allow corenet_unconfined_type netif_type:netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:dccp_socket node_bind;
allow corenet_unconfined_type node_type:icmp_socket node_bind;
allow corenet_unconfined_type node_type:node { dccp_recv dccp_send enforce_dest rawip_recv rawip_send recvfrom sendto tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:rawip_socket node_bind;
allow corenet_unconfined_type node_type:sctp_socket node_bind;
allow corenet_unconfined_type node_type:tcp_socket node_bind;
allow corenet_unconfined_type node_type:udp_socket node_bind;
allow corenet_unconfined_type packet_type:packet { flow_in flow_out forward_in forward_out recv relabelto send };
allow corenet_unconfined_type port_type:dccp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:rawip_socket name_bind;
allow corenet_unconfined_type port_type:sctp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:udp_socket { name_bind recv_msg send_msg };
allow corenet_unconfined_type unlabeled_t:infiniband_endport manage_subnet;
allow corenet_unconfined_type unlabeled_t:infiniband_pkey access;
allow corenet_unlabeled_type unlabeled_t:association { recvfrom sendto };
allow corenet_unlabeled_type unlabeled_t:dccp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:peer recv;
allow corenet_unlabeled_type unlabeled_t:rawip_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:tcp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:udp_socket recvfrom;
allow domain abrt_dump_oops_t:process sigchld; [ deny_ptrace ]:False
allow domain abrt_helper_exec_t:file { execute getattr ioctl map open read };
allow domain abrt_helper_t:process transition;
allow domain abrt_t:dir { getattr ioctl lock open read search };
allow domain abrt_t:fifo_file { append getattr ioctl lock read write };
allow domain abrt_t:file { getattr ioctl lock open read };
allow domain abrt_t:lnk_file { getattr read };
allow domain abrt_t:process { getattr signull };
allow domain abrt_var_run_t:dir { getattr open search };
allow domain abrt_var_run_t:file { getattr ioctl lock open read };
allow domain admin_home_t:dir { getattr open search };
allow domain admin_home_t:lnk_file { getattr read };
allow domain afs_cache_t:file { read write };
allow domain afs_t:udp_socket { read write };
allow domain automount_t:fd use;
allow domain automount_t:fifo_file write;
allow domain base_file_type:dir { getattr open search };
allow domain base_ro_file_type:dir { ioctl lock read };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow domain cpu_online_t:dir { getattr open search };
allow domain cpu_online_t:file { getattr ioctl lock open read };
allow domain crond_t:fifo_file { append getattr ioctl lock read write };
allow domain crypt_device_t:chr_file { append getattr ioctl lock open read write };
allow domain device_t:dir { ioctl lock read };
allow domain device_t:lnk_file { getattr read };
allow domain devicekit_power_t:dbus send_msg;
allow domain devtty_t:chr_file { append getattr ioctl lock open read write };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain fonts_cache_t:dir { getattr ioctl lock open read search };
allow domain fonts_cache_t:file { getattr ioctl lock map open read };
allow domain fonts_cache_t:lnk_file { getattr read };
allow domain fonts_t:dir { getattr ioctl lock open read search };
allow domain fonts_t:file { getattr ioctl lock map open read };
allow domain fonts_t:lnk_file { getattr read };
allow domain ica_tmpfs_t:file { create getattr open };
allow domain init_t:process { sigchld signull };
allow domain initrc_tmp_t:file { open write };
allow domain install_t:fd use;
allow domain install_t:process sigchld; [ deny_ptrace ]:False
allow domain ipsec_spd_t:association polmatch;
allow domain kernel_t:system module_request; [ domain_kernel_load_modules ]:True
allow domain kmsg_device_t:chr_file { append getattr ioctl lock open write }; [ domain_can_write_kmsg ]:True
allow domain ld_so_cache_t:file { getattr ioctl lock map open read };
allow domain ld_so_t:file { execute getattr ioctl map open read };
allow domain ld_so_t:lnk_file { getattr read };
allow domain lib_t:file { execute map };
allow domain livecd_t:process sigchld; [ deny_ptrace ]:False
allow domain locale_t:dir { getattr ioctl lock open read search };
allow domain locale_t:file { getattr ioctl lock map open read };
allow domain locale_t:lnk_file { getattr read };
allow domain machineid_t:file { getattr ioctl lock open read };
allow domain man_cache_t:dir { getattr ioctl lock open read search };
allow domain man_cache_t:file { getattr ioctl lock open read };
allow domain man_cache_t:lnk_file { getattr read };
allow domain man_t:dir { getattr ioctl lock open read search };
allow domain man_t:file { getattr ioctl lock open read };
allow domain man_t:lnk_file { getattr read };
allow domain mandb_cache_t:dir { getattr open search };
allow domain mandb_cache_t:file { getattr ioctl lock open read };
allow domain mnt_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow domain mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow domain mnt_t:lnk_file { getattr read };
allow domain netlabel_peer_t:peer recv;
allow domain netlabel_peer_t:tcp_socket recvfrom;
allow domain null_device_t:chr_file { append getattr ioctl lock open read write };
allow domain pkcs11_modules_conf_t:dir { getattr ioctl lock open read search };
allow domain pkcs11_modules_conf_t:file { getattr ioctl lock map open read };
allow domain prelink_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ fips_mode ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:filesystem getattr;
allow domain proc_t:lnk_file { getattr read };
allow domain puppet_tmp_t:file write;
allow domain rkhunter_var_lib_t:dir { getattr open search };
allow domain rkhunter_var_lib_t:file { append getattr ioctl lock open };
allow domain root_t:dir { ioctl lock read };
allow domain root_t:lnk_file { getattr ioctl lock read };
allow domain rpm_log_t:dir { getattr open search };
allow domain rpm_script_tmp_t:dir { getattr open search };
allow domain rpm_script_tmp_t:fifo_file { append getattr ioctl lock read write };
allow domain rpm_script_tmp_t:file open;
allow domain rpm_script_tmp_t:lnk_file { getattr read };
allow domain rpm_t:fd use;
allow domain rpm_t:fifo_file { getattr ioctl lock open read };
allow domain security_t:dir { getattr open search };
allow domain security_t:filesystem getattr;
allow domain security_t:lnk_file { getattr read };
allow domain selinux_config_t:dir { getattr open search };
allow domain setrans_t:context translate;
allow domain setrans_t:unix_stream_socket connectto;
allow domain setrans_var_run_t:dir { getattr open search };
allow domain setrans_var_run_t:sock_file { append getattr open write };
allow domain sosreport_tmp_t:dir { getattr open search };
allow domain sosreport_tmp_t:file open;
allow domain spc_t:process sigchld;
allow domain spc_t:unix_stream_socket connectto;
allow domain sshd_t:fifo_file { append getattr ioctl lock read write };
allow domain sysadm_t:process sigchld; [ deny_ptrace ]:False
allow domain sysctl_crypto_t:dir { getattr ioctl lock open read search };
allow domain sysctl_crypto_t:file { getattr ioctl lock open read };
allow domain sysctl_kernel_t:dir { getattr ioctl lock open read search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:dir { getattr open search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:file { getattr ioctl lock open read }; [ fips_mode ]:True
allow domain sysctl_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:file { getattr ioctl lock open read };
allow domain sysctl_vm_t:dir { getattr open search };
allow domain sysfs_t:dir { getattr open search };
allow domain sysfs_t:filesystem getattr;
allow domain system_cronjob_t:fifo_file { append getattr ioctl lock read write };
allow domain systemd_nsresourced_runtime_t:sock_file { append getattr open write };
allow domain systemd_nsresourced_t:unix_stream_socket connectto;
allow domain systemd_resolved_t:dbus send_msg;
allow domain systemd_resolved_t:unix_stream_socket connectto;
allow domain systemd_resolved_var_run_t:dir { getattr open search };
allow domain systemd_resolved_var_run_t:sock_file { append getattr open write };
allow domain textrel_shlib_t:file { execmod execute map };
allow domain tmp_t:file { open write };
allow domain tmp_t:lnk_file { getattr read };
allow domain tmpfile:file { append getattr ioctl lock read };
allow domain tmpfs_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow domain unconfined_domain_type:association recvfrom;
allow domain unconfined_domain_type:peer recv;
allow domain unconfined_domain_type:tcp_socket recvfrom;
allow domain unconfined_t:fd use;
allow domain unconfined_t:process sigchld;
allow domain unlabeled_t:packet { recv send };
allow domain urandom_device_t:chr_file { getattr ioctl lock open read };
allow domain usermodehelper_t:dir { getattr ioctl lock open read search };
allow domain usermodehelper_t:file { getattr ioctl lock open read };
allow domain usermodehelper_t:lnk_file { getattr read };
allow domain usr_t:file map;
allow domain var_log_t:dir { getattr open search };
allow domain var_run_t:dir { ioctl lock read };
allow domain var_run_t:lnk_file { getattr read };
allow domain var_t:lnk_file { getattr read };
allow domain vmtools_unconfined_t:dbus send_msg;
allow domain zero_device_t:chr_file { append getattr ioctl lock map open read write };
allow kernel_system_state_reader proc_t:dir { ioctl lock read };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
allow sandbox_net_domain node_t:rawip_socket node_bind;
allow sandbox_net_domain node_t:tcp_socket node_bind;
allow sandbox_net_domain node_t:udp_socket node_bind;
allow sandbox_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow sandbox_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow sandbox_net_domain proc_net_t:dir { getattr ioctl lock open read search };
allow sandbox_net_domain proc_net_t:file { getattr ioctl lock open read };
allow sandbox_net_domain proc_net_t:lnk_file { getattr read };
allow sandbox_net_domain sssd_t:unix_stream_socket connectto;
allow sandbox_net_domain sssd_var_lib_t:dir { getattr open search };
allow sandbox_net_domain sssd_var_lib_t:sock_file { append getattr open write };
allow sandbox_net_domain svirt_home_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain svirt_home_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain systemd_logind_t:dbus send_msg;
allow sandbox_net_domain systemd_logind_t:fd use;
allow sandbox_net_domain virt_home_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow svirt_sandbox_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain container_devpts_t:chr_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain container_file_t:blk_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:chr_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:dir { add_name create execmod ioctl link lock read relabelfrom relabelto remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:file { append create execmod execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:filesystem remount;
allow svirt_sandbox_domain container_file_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_ro_file_t:dir { ioctl lock read };
allow svirt_sandbox_domain container_ro_file_t:file { execmod execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain container_ro_file_t:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain container_runtime_domain:file { getattr ioctl lock open read };
allow svirt_sandbox_domain container_runtime_domain:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:process getattr;
allow svirt_sandbox_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain exec_type:lnk_file { getattr read };
allow svirt_sandbox_domain file_type:dir { getattr open search };
allow svirt_sandbox_domain file_type:filesystem getattr;
allow svirt_sandbox_domain filesystem_type:filesystem getattr;
allow svirt_sandbox_domain fs_t:dir { getattr open search };
allow svirt_sandbox_domain fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain fs_t:lnk_file { getattr ioctl lock read write };
allow svirt_sandbox_domain fusefs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem mount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem unmount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain httpd_modules_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:lnk_file { getattr read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_sys_content_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain hugetlbfs_t:file { append getattr ioctl lock map open read write };
allow svirt_sandbox_domain hwdata_t:dir { ioctl lock read };
allow svirt_sandbox_domain hwdata_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain hwdata_t:lnk_file { getattr read };
allow svirt_sandbox_domain init_t:fd use;
allow svirt_sandbox_domain initrc_t:fd use;
allow svirt_sandbox_domain initrc_t:process sigchld;
allow svirt_sandbox_domain mountpoint:file entrypoint;
allow svirt_sandbox_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow svirt_sandbox_domain proc_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain proc_type:file getattr;
allow svirt_sandbox_domain spc_t:fd use;
allow svirt_sandbox_domain sshd_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain sshd_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sshd_t:fd use;
allow svirt_sandbox_domain sshd_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain sshd_t:lnk_file { getattr read };
allow svirt_sandbox_domain sshd_t:process { getattr sigchld };
allow svirt_sandbox_domain svirt_file_type:blk_file mounton;
allow svirt_sandbox_domain svirt_file_type:chr_file mounton;
allow svirt_sandbox_domain svirt_file_type:dir mounton;
allow svirt_sandbox_domain svirt_file_type:fifo_file mounton;
allow svirt_sandbox_domain svirt_file_type:file mounton;
allow svirt_sandbox_domain svirt_file_type:lnk_file mounton;
allow svirt_sandbox_domain svirt_file_type:sock_file mounton;
allow svirt_sandbox_domain sysadm_t:fd use;
allow svirt_sandbox_domain sysadm_t:process sigchld;
allow svirt_sandbox_domain sysctl_fs_t:file { append write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain sysctl_net_t:file { append write };
allow svirt_sandbox_domain sysctl_net_t:lnk_file { getattr read };
allow svirt_sandbox_domain sysctl_net_unix_t:file { append write };
allow svirt_sandbox_domain sysctl_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sysctl_type:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain systemd_machined_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:lnk_file { getattr read };
allow svirt_sandbox_domain systemd_machined_t:process getattr;
allow svirt_sandbox_domain tmpfs_t:file { append getattr ioctl lock read write };
allow svirt_sandbox_domain tmpfs_t:lnk_file { getattr read };
allow svirt_sandbox_domain udev_var_run_t:dir { ioctl lock read };
allow svirt_sandbox_domain udev_var_run_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain udev_var_run_t:lnk_file { getattr read };
allow svirt_sandbox_domain user_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain user_tty_device_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain var_lock_t:lnk_file { getattr read };
allow svirt_sandbox_domain virsh_t:fd use;
allow svirt_sandbox_domain virsh_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:fd use;
allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { append bind connect connectto getattr getopt ioctl lock read setattr setopt shutdown write };
allow syslog_client_type console_device_t:chr_file { append getattr ioctl lock open write };
allow syslog_client_type devlog_t:lnk_file { getattr read };
allow syslog_client_type devlog_t:sock_file { append getattr open write };
allow syslog_client_type kernel_t:unix_dgram_socket sendto;
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
allow syslog_client_type syslogd_var_run_t:dir { getattr open search };
allow syslog_client_type syslogd_var_run_t:sock_file { append getattr open write };