* Re: [PATCH] checkpolicy: Allow attribute assignment to attributes
2025-06-23 18:21 ` James Carter
@ 2025-06-23 19:24 ` Vit Mojzis
2025-07-16 14:16 ` [PATCH] secilc: Add test for " Vit Mojzis
0 siblings, 1 reply; 8+ messages in thread
From: Vit Mojzis @ 2025-06-23 19:24 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 6571 bytes --]
On 6/23/25 8:21 PM, James Carter wrote:
> On Mon, Jun 23, 2025 at 2:06 PM James Carter <jwcart2@gmail.com> wrote:
>>
>> On Mon, Jun 23, 2025 at 7:34 AM Vit Mojzis <vmojzis@redhat.com> wrote:
>>>
>>>
>>>
>>> On 6/23/25 12:56 PM, Christian Göttsche wrote:
>>>> Jun 23, 2025 12:27:47 Vit Mojzis <vmojzis@redhat.com>:
>>>>
>>>>> Allow "typeattribute <attribute> <attribute>" to pass checkpolicy,
>>>>> since (typeattributeset <attribute> <attribute>) is valid in CIL.
>>>>>
>>>>> Fixes:
>>>>> $ cat myattributetest.te
>>>>> policy_module(attributetest, 1.0.0)
>>>>>
>>>>> gen_require(`
>>>>> attribute domain;
>>>>> ')
>>>>>
>>>>> attribute myattribute;
>>>>>
>>>>> typeattribute myattribute domain;
>>>>>
>>>>> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp 2 ↵
>>>>> Compiling targeted attributetest module
>>>>> attributetest.te:9:ERROR 'unknown type myattribute' at token ';' on line 3418:
>>>>> typeattribute myattribute domain;
>>>>>
>>>>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>>>>> ---
>>>>> After some simple tests with CIL policies, it seems that attribute
>>>>> assignment works as expected. Is there a reason checkpolicy does not
>>>>> recognise it?
>>>> Did you test that all types associated with myattribute are the also associated with domain?
>>>>
>>> Yes, also please see the more complex example below (mytype_t is part of
>>> "a", "b" and "c" after being assigned to "c").
>>> As for the "domain" example:
>>>
>>> $ cat typeattribute.te
>>> policy_module(attributetest, 1.0.0)
>>>
>>> gen_require(`
>>> attribute domain;
>>> ')
>>>
>>> attribute myattribute;
>>>
>>> typeattribute myattribute domain;
>>>
>>> type mytype_t;
>>>
>>> typeattribute mytype_t myattribute;
>>>
>>> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp
>>> Compiling targeted attributetest module
>>> Creating targeted attributetest.pp policy package
>>> rm tmp/attributetest.mod.fc tmp/attributetest.mod
>>>
>>> $ /usr/libexec/selinux/hll/pp < attributetest.pp > attributetest.cil
>>> $ cat attributetest.cil
>>> (typeattribute myattribute)
>>> (typeattributeset myattribute (mytype_t ))
>>> (type mytype_t)
>>> (roletype object_r mytype_t)
>>> (roleattributeset cil_gen_require system_r)
>>> (typeattributeset cil_gen_require domain)
>>> (typeattributeset domain (myattribute ))
>>>
>>> $ semodule -i attributetest.pp
>>> $ seinfo -xa domain | grep mytype
>>> mytype_t
>>>
>>> I also tested the functionality on a combination of multiple attributes
>>> from container module and all seems to work fine (at least as long as we
>>> can trust "seinfo" and "sesearch"). CIL is not even complaining about a
>>> mixed assignements that result in some interface calls on attributes
>>> (e.g. kernel_read_all_proc(container_t_domain) -> (typeattributeset
>>> can_dump_kernel (container_runtime_t container_t container_t_domain
>>> container_userns_t container_logreader_t container_logwriter_t
>>> container_kvm_t container_init_t container_engine_t container_device_t
>>> container_device_plugin_t container_device_plugin_init_t ))). In
>>> combination with "typeattribute mycontainer_t container_t_domain;" this
>>> also works as expected:
>>> $ seinfo -xa can_dump_kernel | grep mycontainer_t
>>> mycontainer_t
>>>
>>> It is by no means a complete test. I was hoping someone here would be
>>> more familiar with attribute assignment and would let me know why it's
>>> not allowed or that it is just an oversight.
>>>
>>
>> I don't think the kernel supports attributes being assigned to attributes.
>> For CIL to support typeattributesets, it expands all attributes when
>> it evaluates the set.
>>
>> I think what is happening is that binary format unintentionally
>> handles attributes being assigned to attributes (even though that was
>> never intended) and since CIL is creating the final binary policy for
>> the kernel all the attributes in an attribute get expanded.
>> It might actually be possible to start allowing this, but I would want
>> to test more to make sure.
>
> I just realized that the fatal flaw in this is that the kernel binary
> policy produced by checkpolicy will not work (if I am correct that the
> kernel will not properly handle attributes having attributes and even
> if it does there could be severe performance issues).
> Jim
>
Thank you for the analysis. Does that mean that I need to test that the
access is actually allowed? Is there some simple way to measure
performance (or are there other side effects I can watch for instead)?
I just tried replacing all the rules assigned to container_t with
container_t_doman attribute
https://github.com/vmojzis/container-selinux/commit/3645ca555ed5b5aacbd64e300522cfc6e2fbc493
and a comparison of sesearch outputs matched between original
container_t and mycontainer_t that was assigned to the new attribute
(outputs attached). So even complex policy constructs seem to at least
transfer to CIL properly.
Thank you.
Vit
>
>>
>> This is definitely an interesting finding!
>>
>> Thanks,
>> Jim
>>
>>> Vit
>>>
>>>>> $ cat a.cil
>>>>> (typeattribute a)
>>>>> (typeattribute b)
>>>>> (typeattribute c)
>>>>> (type mytype_t)
>>>>> (typeattributeset a b)
>>>>> (typeattributeset b c)
>>>>> (typeattributeset c mytype_t)
>>>>> (allow a user_home_t (dir (getattr open search)))
>>>>> (allow b tmp_t (dir (getattr open search)))
>>>>> (allow c etc_t (dir (getattr open search)))
>>>>>
>>>>> $semodule -i a.cil
>>>>>
>>>>> $sesearch -A -s mytype_t
>>>>> allow a user_home_t:dir { getattr open search };
>>>>> allow b tmp_t:dir { getattr open search };
>>>>> allow c etc_t:dir { getattr open search };
>>>>>
>>>>> $seinfo -xa a
>>>>>
>>>>> Type Attributes: 1
>>>>> attribute a;
>>>>> mytype_t
>>>>>
>>>>>
>>>>> checkpolicy/policy_define.c | 2 +-
>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
>>>>> index 4e0ddcc6..be788e8e 100644
>>>>> --- a/checkpolicy/policy_define.c
>>>>> +++ b/checkpolicy/policy_define.c
>>>>> @@ -1440,7 +1440,7 @@ int define_typeattribute(void)
>>>>> return -1;
>>>>> }
>>>>> t = hashtab_search(policydbp->p_types.table, id);
>>>>> - if (!t || t->flavor == TYPE_ATTRIB) {
>>>>> + if (!t) {
>>>>> yyerror2("unknown type %s", id);
>>>>> free(id);
>>>>> return -1;
>>>>> --
>>>>> 2.49.0
>>>
>>>
[-- Attachment #2: container.rules --]
[-- Type: text/plain, Size: 72762 bytes --]
$ sesearch -A -s container_t
allow container_domain bpf_t:dir { add_name ioctl lock read remove_name write };
allow container_domain bpf_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_domain cert_type:dir { ioctl lock read }; [ container_read_certs ]:True
allow container_domain cert_type:file { getattr ioctl lock open read }; [ container_read_certs ]:True
allow container_domain cert_type:lnk_file { getattr read }; [ container_read_certs ]:True
allow container_domain cgroup_t:dir { create link rename reparent rmdir setattr unlink watch watch_reads }; [ container_manage_cgroup ]:True
allow container_domain cgroup_t:dir { ioctl lock mounton read };
allow container_domain cgroup_t:filesystem unmount;
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { append create link rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { getattr ioctl lock open read };
allow container_domain cgroup_type:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:lnk_file { getattr read };
allow container_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow container_domain cifs_t:file execmod; [ virt_use_samba ]:True
allow container_domain cifs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_samba ]:True
allow container_domain cifs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow container_domain console_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain container_devpts_t:chr_file open;
allow container_domain container_file_t:file entrypoint;
allow container_domain container_ro_file_t:dir { ioctl lock read };
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_ro_file_t:lnk_file { getattr read };
allow container_domain container_runtime_domain:alg_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:appletalk_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmpvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmsvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ax25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:bluetooth_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:caif_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:can_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:dccp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:decnet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:fd use;
allow container_domain container_runtime_domain:icmp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ieee802154_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ipx_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:irda_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:isdn_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:iucv_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:kcm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:llc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:mctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_audit_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_connector_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_crypto_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_dnrt_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_firewall_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_generic_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_iscsi_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_netfilter_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_nflog_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_rdma_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_route_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_selinux_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_xfrm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netrom_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:nfc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:packet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:phonet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:pppox_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:process sigchld;
allow container_domain container_runtime_domain:qipcrtr_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rawip_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rds_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rose_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rxrpc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:sctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:smc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tcp_socket { accept append getattr getopt ioctl lock map read recv_msg send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tipc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tun_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom relabelfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:udp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_dgram_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_stream_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:vsock_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:x25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:xdp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_tmpfs_t:dir mounton;
allow container_domain container_runtime_tmpfs_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow container_domain container_var_lib_t:file entrypoint;
allow container_domain device_node:blk_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain device_node:chr_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain devpts_t:chr_file { append getattr ioctl lock read write };
allow container_domain dri_device_t:chr_file map; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file open; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ecryptfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file execmod; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain file_type:dir { getattr open search };
allow container_domain file_type:filesystem getattr;
allow container_domain filesystem_type:filesystem getattr;
allow container_domain fs_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { getattr open search }; [ container_use_cephfs ]:True
allow container_domain fs_t:file execmod; [ container_use_cephfs ]:True
allow container_domain fs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_cephfs ]:True
allow container_domain fs_t:filesystem { mount remount unmount };
allow container_domain fs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fuse_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain fusefs_t:dir { add_name create ioctl link lock mounton read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow container_domain fusefs_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:filesystem { mount remount unmount };
allow container_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain gssproxy_t:unix_stream_socket connectto;
allow container_domain gssproxy_var_lib_t:sock_file { append getattr open write };
allow container_domain gssproxy_var_run_t:sock_file { append getattr open write };
allow container_domain hugetlbfs_t:dir { add_name ioctl lock read remove_name write };
allow container_domain hugetlbfs_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };
allow container_domain init_t:alg_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:appletalk_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmpvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmsvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ax25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:bluetooth_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:caif_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:can_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:dccp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:decnet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:icmp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ieee802154_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ipx_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:irda_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:isdn_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:iucv_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:kcm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:llc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:mctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_audit_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_connector_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_crypto_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_dnrt_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_firewall_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_generic_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_iscsi_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_netfilter_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_nflog_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_rdma_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_route_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_selinux_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_xfrm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netrom_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:nfc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:packet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:phonet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:pppox_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:qipcrtr_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rawip_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rds_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rose_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rxrpc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:sctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:smc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tcp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tipc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tun_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:udp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_dgram_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_stream_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:vsock_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:x25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:xdp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain kernel_t:system ipc_info;
allow container_domain kvm_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain modules_object_t:dir { ioctl lock read };
allow container_domain modules_object_t:file { getattr ioctl lock open read };
allow container_domain modules_object_t:lnk_file { getattr read };
allow container_domain mtrr_device_t:chr_file { getattr ioctl lock open read };
allow container_domain mtrr_device_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:dir { ioctl lock read };
allow container_domain net_conf_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:lnk_file { getattr read };
allow container_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file execmod; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow container_domain nfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow container_domain nsfs_t:file { getattr ioctl lock open read };
allow container_domain nsfs_t:filesystem unmount;
allow container_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow container_domain proc_net_t:file { ioctl lock open read };
allow container_domain proc_net_t:lnk_file { getattr read };
allow container_domain proc_type:dir { getattr ioctl lock mounton open read search };
allow container_domain proc_type:file { getattr mounton };
allow container_domain ptynode:chr_file { append getattr ioctl lock read write };
allow container_domain random_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain rpm_var_cache_t:dir { ioctl lock read };
allow container_domain rpm_var_cache_t:file { getattr ioctl lock open read };
allow container_domain rpm_var_cache_t:lnk_file { getattr read };
allow container_domain rpm_var_lib_t:dir { ioctl lock read };
allow container_domain rpm_var_lib_t:file { getattr ioctl lock map open read };
allow container_domain rpm_var_lib_t:lnk_file { getattr read };
allow container_domain spc_t:unix_stream_socket { read write };
allow container_domain sssd_t:unix_stream_socket connectto;
allow container_domain sssd_var_lib_t:sock_file { append getattr open write };
allow container_domain sysctl_kernel_ns_last_pid_t:file { append write };
allow container_domain sysctl_net_t:file { append write };
allow container_domain sysctl_net_t:lnk_file { getattr read };
allow container_domain sysctl_net_unix_t:file { append write };
allow container_domain sysctl_rpc_t:file { append write };
allow container_domain sysctl_type:dir { getattr ioctl lock open read search };
allow container_domain sysctl_type:file { getattr ioctl lock open read };
allow container_domain sysfs_t:dir { ioctl lock read watch };
allow container_domain sysfs_t:file { getattr ioctl lock open read };
allow container_domain sysfs_t:lnk_file { getattr read };
allow container_domain systemd_logind_t:dbus send_msg;
allow container_domain systemd_logind_t:fd use;
allow container_domain tmpfs_t:file { append getattr ioctl lock read write };
allow container_domain tmpfs_t:filesystem { mount unmount };
allow container_domain tmpfs_t:lnk_file { getattr read };
allow container_domain tty_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ttynode:chr_file { append getattr ioctl lock read write };
allow container_domain unconfined_domain_type:fifo_file { append getattr ioctl lock map open read write };
allow container_domain urandom_device_t:chr_file { append write };
allow container_domain user_devpts_t:chr_file open;
allow container_domain userdomain:alg_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:appletalk_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmpvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmsvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ax25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:bluetooth_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:caif_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:can_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:dccp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:decnet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:fifo_file { append getattr ioctl lock read write };
allow container_domain userdomain:icmp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ieee802154_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ipx_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:irda_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:isdn_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:iucv_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:kcm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:llc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:mctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_audit_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_connector_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_crypto_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_dnrt_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_firewall_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_generic_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_iscsi_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_netfilter_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_nflog_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_rdma_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_route_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_selinux_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_xfrm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netrom_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:nfc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:packet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:phonet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:pppox_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:qipcrtr_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rawip_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rds_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rose_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rxrpc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:sctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:smc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tcp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tipc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tun_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:udp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_dgram_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_stream_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:vsock_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:x25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:xdp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain zero_device_t:chr_file execute;
allow container_net_domain node_t:rawip_socket node_bind;
allow container_net_domain node_t:tcp_socket node_bind;
allow container_net_domain node_t:udp_socket node_bind;
allow container_net_domain port_type:sctp_socket { name_bind name_connect };
allow container_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow container_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow container_t container_file_t:blk_file { map relabelfrom relabelto };
allow container_t container_file_t:chr_file { execute map relabelfrom relabelto watch watch_reads };
allow container_t container_file_t:dir map;
allow container_t container_file_t:fifo_file { map relabelfrom relabelto };
allow container_t container_file_t:filesystem { mount unmount };
allow container_t container_file_t:lnk_file { map relabelfrom relabelto };
allow container_t container_file_t:sock_file { map relabelfrom relabelto };
allow container_t container_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:association sendto;
allow container_t container_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow container_t container_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow container_t container_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow container_t container_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:dir { getattr ioctl lock open read search watch };
allow container_t container_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_t container_t:file { append getattr ioctl lock open read write };
allow container_t container_t:filesystem associate;
allow container_t container_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:key { create read setattr view write };
allow container_t container_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:lnk_file { getattr ioctl lock open read setattr };
allow container_t container_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:msg { receive send };
allow container_t container_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow container_t container_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow container_t container_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow container_t container_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:passwd rootok;
allow container_t container_t:peer recv;
allow container_t container_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow container_t container_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow container_t container_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow container_t container_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow container_t container_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow container_t container_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow container_t container_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow container_t container_t:user_namespace create;
allow container_t container_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t proc_t:filesystem remount;
allow container_t proc_type:file { ioctl lock open read };
allow container_t sysfs_t:dir mounton;
allow container_t xserver_misc_device_t:chr_file getattr; [ container_use_xserver_devices ]:True
allow container_t xserver_misc_device_t:chr_file map; [ container_use_xserver_devices ]:True
allow container_t xserver_misc_device_t:chr_file { append getattr ioctl lock open read write }; [ container_use_xserver_devices ]:True
allow corenet_unconfined_type netif_type:netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:dccp_socket node_bind;
allow corenet_unconfined_type node_type:icmp_socket node_bind;
allow corenet_unconfined_type node_type:node { dccp_recv dccp_send enforce_dest rawip_recv rawip_send recvfrom sendto tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:rawip_socket node_bind;
allow corenet_unconfined_type node_type:sctp_socket node_bind;
allow corenet_unconfined_type node_type:tcp_socket node_bind;
allow corenet_unconfined_type node_type:udp_socket node_bind;
allow corenet_unconfined_type packet_type:packet { flow_in flow_out forward_in forward_out recv relabelto send };
allow corenet_unconfined_type port_type:dccp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:rawip_socket name_bind;
allow corenet_unconfined_type port_type:sctp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:udp_socket { name_bind recv_msg send_msg };
allow corenet_unconfined_type unlabeled_t:infiniband_endport manage_subnet;
allow corenet_unconfined_type unlabeled_t:infiniband_pkey access;
allow corenet_unlabeled_type unlabeled_t:association { recvfrom sendto };
allow corenet_unlabeled_type unlabeled_t:dccp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:peer recv;
allow corenet_unlabeled_type unlabeled_t:rawip_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:tcp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:udp_socket recvfrom;
allow domain abrt_dump_oops_t:process sigchld; [ deny_ptrace ]:False
allow domain abrt_helper_exec_t:file { execute getattr ioctl map open read };
allow domain abrt_helper_t:process transition;
allow domain abrt_t:dir { getattr ioctl lock open read search };
allow domain abrt_t:fifo_file { append getattr ioctl lock read write };
allow domain abrt_t:file { getattr ioctl lock open read };
allow domain abrt_t:lnk_file { getattr read };
allow domain abrt_t:process { getattr signull };
allow domain abrt_var_run_t:dir { getattr open search };
allow domain abrt_var_run_t:file { getattr ioctl lock open read };
allow domain admin_home_t:dir { getattr open search };
allow domain admin_home_t:lnk_file { getattr read };
allow domain afs_cache_t:file { read write };
allow domain afs_t:udp_socket { read write };
allow domain automount_t:fd use;
allow domain automount_t:fifo_file write;
allow domain base_file_type:dir { getattr open search };
allow domain base_ro_file_type:dir { ioctl lock read };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow domain cpu_online_t:dir { getattr open search };
allow domain cpu_online_t:file { getattr ioctl lock open read };
allow domain crond_t:fifo_file { append getattr ioctl lock read write };
allow domain crypt_device_t:chr_file { append getattr ioctl lock open read write };
allow domain device_t:dir { ioctl lock read };
allow domain device_t:lnk_file { getattr read };
allow domain devicekit_power_t:dbus send_msg;
allow domain devtty_t:chr_file { append getattr ioctl lock open read write };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain fonts_cache_t:dir { getattr ioctl lock open read search };
allow domain fonts_cache_t:file { getattr ioctl lock map open read };
allow domain fonts_cache_t:lnk_file { getattr read };
allow domain fonts_t:dir { getattr ioctl lock open read search };
allow domain fonts_t:file { getattr ioctl lock map open read };
allow domain fonts_t:lnk_file { getattr read };
allow domain ica_tmpfs_t:file { create getattr open };
allow domain init_t:process { sigchld signull };
allow domain initrc_tmp_t:file { open write };
allow domain install_t:fd use;
allow domain install_t:process sigchld; [ deny_ptrace ]:False
allow domain ipsec_spd_t:association polmatch;
allow domain kernel_t:system module_request; [ domain_kernel_load_modules ]:True
allow domain kmsg_device_t:chr_file { append getattr ioctl lock open write }; [ domain_can_write_kmsg ]:True
allow domain ld_so_cache_t:file { getattr ioctl lock map open read };
allow domain ld_so_t:file { execute getattr ioctl map open read };
allow domain ld_so_t:lnk_file { getattr read };
allow domain lib_t:file { execute map };
allow domain livecd_t:process sigchld; [ deny_ptrace ]:False
allow domain locale_t:dir { getattr ioctl lock open read search };
allow domain locale_t:file { getattr ioctl lock map open read };
allow domain locale_t:lnk_file { getattr read };
allow domain machineid_t:file { getattr ioctl lock open read };
allow domain man_cache_t:dir { getattr ioctl lock open read search };
allow domain man_cache_t:file { getattr ioctl lock open read };
allow domain man_cache_t:lnk_file { getattr read };
allow domain man_t:dir { getattr ioctl lock open read search };
allow domain man_t:file { getattr ioctl lock open read };
allow domain man_t:lnk_file { getattr read };
allow domain mandb_cache_t:dir { getattr open search };
allow domain mandb_cache_t:file { getattr ioctl lock open read };
allow domain mnt_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow domain mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow domain mnt_t:lnk_file { getattr read };
allow domain netlabel_peer_t:peer recv;
allow domain netlabel_peer_t:tcp_socket recvfrom;
allow domain null_device_t:chr_file { append getattr ioctl lock open read write };
allow domain pkcs11_modules_conf_t:dir { getattr ioctl lock open read search };
allow domain pkcs11_modules_conf_t:file { getattr ioctl lock map open read };
allow domain prelink_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ fips_mode ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:filesystem getattr;
allow domain proc_t:lnk_file { getattr read };
allow domain puppet_tmp_t:file write;
allow domain rkhunter_var_lib_t:dir { getattr open search };
allow domain rkhunter_var_lib_t:file { append getattr ioctl lock open };
allow domain root_t:dir { ioctl lock read };
allow domain root_t:lnk_file { getattr ioctl lock read };
allow domain rpm_log_t:dir { getattr open search };
allow domain rpm_script_tmp_t:dir { getattr open search };
allow domain rpm_script_tmp_t:fifo_file { append getattr ioctl lock read write };
allow domain rpm_script_tmp_t:file open;
allow domain rpm_script_tmp_t:lnk_file { getattr read };
allow domain rpm_t:fd use;
allow domain rpm_t:fifo_file { getattr ioctl lock open read };
allow domain security_t:dir { getattr open search };
allow domain security_t:filesystem getattr;
allow domain security_t:lnk_file { getattr read };
allow domain selinux_config_t:dir { getattr open search };
allow domain setrans_t:context translate;
allow domain setrans_t:unix_stream_socket connectto;
allow domain setrans_var_run_t:dir { getattr open search };
allow domain setrans_var_run_t:sock_file { append getattr open write };
allow domain sosreport_tmp_t:dir { getattr open search };
allow domain sosreport_tmp_t:file open;
allow domain spc_t:process sigchld;
allow domain spc_t:unix_stream_socket connectto;
allow domain sshd_t:fifo_file { append getattr ioctl lock read write };
allow domain sysadm_t:process sigchld; [ deny_ptrace ]:False
allow domain sysctl_crypto_t:dir { getattr ioctl lock open read search };
allow domain sysctl_crypto_t:file { getattr ioctl lock open read };
allow domain sysctl_kernel_t:dir { getattr ioctl lock open read search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:dir { getattr open search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:file { getattr ioctl lock open read }; [ fips_mode ]:True
allow domain sysctl_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:file { getattr ioctl lock open read };
allow domain sysctl_vm_t:dir { getattr open search };
allow domain sysfs_t:dir { getattr open search };
allow domain sysfs_t:filesystem getattr;
allow domain system_cronjob_t:fifo_file { append getattr ioctl lock read write };
allow domain systemd_nsresourced_runtime_t:sock_file { append getattr open write };
allow domain systemd_nsresourced_t:unix_stream_socket connectto;
allow domain systemd_resolved_t:dbus send_msg;
allow domain systemd_resolved_t:unix_stream_socket connectto;
allow domain systemd_resolved_var_run_t:dir { getattr open search };
allow domain systemd_resolved_var_run_t:sock_file { append getattr open write };
allow domain textrel_shlib_t:file { execmod execute map };
allow domain tmp_t:file { open write };
allow domain tmp_t:lnk_file { getattr read };
allow domain tmpfile:file { append getattr ioctl lock read };
allow domain tmpfs_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow domain unconfined_domain_type:association recvfrom;
allow domain unconfined_domain_type:peer recv;
allow domain unconfined_domain_type:tcp_socket recvfrom;
allow domain unconfined_t:fd use;
allow domain unconfined_t:process sigchld;
allow domain unlabeled_t:packet { recv send };
allow domain urandom_device_t:chr_file { getattr ioctl lock open read };
allow domain usermodehelper_t:dir { getattr ioctl lock open read search };
allow domain usermodehelper_t:file { getattr ioctl lock open read };
allow domain usermodehelper_t:lnk_file { getattr read };
allow domain usr_t:file map;
allow domain var_log_t:dir { getattr open search };
allow domain var_run_t:dir { ioctl lock read };
allow domain var_run_t:lnk_file { getattr read };
allow domain var_t:lnk_file { getattr read };
allow domain vmtools_unconfined_t:dbus send_msg;
allow domain zero_device_t:chr_file { append getattr ioctl lock map open read write };
allow kernel_system_state_reader proc_t:dir { ioctl lock read };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
allow sandbox_net_domain node_t:rawip_socket node_bind;
allow sandbox_net_domain node_t:tcp_socket node_bind;
allow sandbox_net_domain node_t:udp_socket node_bind;
allow sandbox_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow sandbox_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow sandbox_net_domain proc_net_t:dir { getattr ioctl lock open read search };
allow sandbox_net_domain proc_net_t:file { getattr ioctl lock open read };
allow sandbox_net_domain proc_net_t:lnk_file { getattr read };
allow sandbox_net_domain sssd_t:unix_stream_socket connectto;
allow sandbox_net_domain sssd_var_lib_t:dir { getattr open search };
allow sandbox_net_domain sssd_var_lib_t:sock_file { append getattr open write };
allow sandbox_net_domain svirt_home_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain svirt_home_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain systemd_logind_t:dbus send_msg;
allow sandbox_net_domain systemd_logind_t:fd use;
allow sandbox_net_domain virt_home_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow svirt_sandbox_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain container_devpts_t:chr_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain container_file_t:blk_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:chr_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:dir { add_name create execmod ioctl link lock read relabelfrom relabelto remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:file { append create execmod execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:filesystem remount;
allow svirt_sandbox_domain container_file_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_ro_file_t:dir { ioctl lock read };
allow svirt_sandbox_domain container_ro_file_t:file { execmod execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain container_ro_file_t:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain container_runtime_domain:file { getattr ioctl lock open read };
allow svirt_sandbox_domain container_runtime_domain:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:process getattr;
allow svirt_sandbox_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain exec_type:lnk_file { getattr read };
allow svirt_sandbox_domain file_type:dir { getattr open search };
allow svirt_sandbox_domain file_type:filesystem getattr;
allow svirt_sandbox_domain filesystem_type:filesystem getattr;
allow svirt_sandbox_domain fs_t:dir { getattr open search };
allow svirt_sandbox_domain fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain fs_t:lnk_file { getattr ioctl lock read write };
allow svirt_sandbox_domain fusefs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem mount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem unmount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain httpd_modules_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:lnk_file { getattr read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_sys_content_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain hugetlbfs_t:file { append getattr ioctl lock map open read write };
allow svirt_sandbox_domain hwdata_t:dir { ioctl lock read };
allow svirt_sandbox_domain hwdata_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain hwdata_t:lnk_file { getattr read };
allow svirt_sandbox_domain init_t:fd use;
allow svirt_sandbox_domain initrc_t:fd use;
allow svirt_sandbox_domain initrc_t:process sigchld;
allow svirt_sandbox_domain mountpoint:file entrypoint;
allow svirt_sandbox_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow svirt_sandbox_domain proc_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain proc_type:file getattr;
allow svirt_sandbox_domain spc_t:fd use;
allow svirt_sandbox_domain sshd_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain sshd_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sshd_t:fd use;
allow svirt_sandbox_domain sshd_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain sshd_t:lnk_file { getattr read };
allow svirt_sandbox_domain sshd_t:process { getattr sigchld };
allow svirt_sandbox_domain svirt_file_type:blk_file mounton;
allow svirt_sandbox_domain svirt_file_type:chr_file mounton;
allow svirt_sandbox_domain svirt_file_type:dir mounton;
allow svirt_sandbox_domain svirt_file_type:fifo_file mounton;
allow svirt_sandbox_domain svirt_file_type:file mounton;
allow svirt_sandbox_domain svirt_file_type:lnk_file mounton;
allow svirt_sandbox_domain svirt_file_type:sock_file mounton;
allow svirt_sandbox_domain sysadm_t:fd use;
allow svirt_sandbox_domain sysadm_t:process sigchld;
allow svirt_sandbox_domain sysctl_fs_t:file { append write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain sysctl_net_t:file { append write };
allow svirt_sandbox_domain sysctl_net_t:lnk_file { getattr read };
allow svirt_sandbox_domain sysctl_net_unix_t:file { append write };
allow svirt_sandbox_domain sysctl_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sysctl_type:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain systemd_machined_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:lnk_file { getattr read };
allow svirt_sandbox_domain systemd_machined_t:process getattr;
allow svirt_sandbox_domain tmpfs_t:file { append getattr ioctl lock read write };
allow svirt_sandbox_domain tmpfs_t:lnk_file { getattr read };
allow svirt_sandbox_domain udev_var_run_t:dir { ioctl lock read };
allow svirt_sandbox_domain udev_var_run_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain udev_var_run_t:lnk_file { getattr read };
allow svirt_sandbox_domain user_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain user_tty_device_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain var_lock_t:lnk_file { getattr read };
allow svirt_sandbox_domain virsh_t:fd use;
allow svirt_sandbox_domain virsh_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:fd use;
allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { append bind connect connectto getattr getopt ioctl lock read setattr setopt shutdown write };
allow syslog_client_type console_device_t:chr_file { append getattr ioctl lock open write };
allow syslog_client_type devlog_t:lnk_file { getattr read };
allow syslog_client_type devlog_t:sock_file { append getattr open write };
allow syslog_client_type kernel_t:unix_dgram_socket sendto;
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
allow syslog_client_type syslogd_var_run_t:dir { getattr open search };
allow syslog_client_type syslogd_var_run_t:sock_file { append getattr open write };
[-- Attachment #3: mycontainer.rules --]
[-- Type: text/plain, Size: 73199 bytes --]
$ sesearch -A -s mycontainer_t
allow container_domain bpf_t:dir { add_name ioctl lock read remove_name write };
allow container_domain bpf_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_domain cert_type:dir { ioctl lock read }; [ container_read_certs ]:True
allow container_domain cert_type:file { getattr ioctl lock open read }; [ container_read_certs ]:True
allow container_domain cert_type:lnk_file { getattr read }; [ container_read_certs ]:True
allow container_domain cgroup_t:dir { create link rename reparent rmdir setattr unlink watch watch_reads }; [ container_manage_cgroup ]:True
allow container_domain cgroup_t:dir { ioctl lock mounton read };
allow container_domain cgroup_t:filesystem unmount;
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:dir { add_name ioctl lock read remove_name write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { append create link rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:file { getattr ioctl lock open read };
allow container_domain cgroup_type:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ container_manage_cgroup ]:True
allow container_domain cgroup_type:lnk_file { getattr read };
allow container_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow container_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow container_domain cifs_t:file execmod; [ virt_use_samba ]:True
allow container_domain cifs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_samba ]:True
allow container_domain cifs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow container_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow container_domain console_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain container_devpts_t:chr_file open;
allow container_domain container_file_t:file entrypoint;
allow container_domain container_ro_file_t:dir { ioctl lock read };
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_ro_file_t:lnk_file { getattr read };
allow container_domain container_runtime_domain:alg_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:appletalk_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmpvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:atmsvc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ax25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:bluetooth_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:caif_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:can_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:dccp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:decnet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:fd use;
allow container_domain container_runtime_domain:icmp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ieee802154_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:ipx_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:irda_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:isdn_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:iucv_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:kcm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:llc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:mctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_audit_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_connector_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_crypto_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_dnrt_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_firewall_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_generic_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_iscsi_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_netfilter_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_nflog_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_rdma_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_route_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_selinux_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netlink_xfrm_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:netrom_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:nfc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:packet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:phonet_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:pppox_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:process sigchld;
allow container_domain container_runtime_domain:qipcrtr_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rawip_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rds_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rose_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:rxrpc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:sctp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:smc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tcp_socket { accept append getattr getopt ioctl lock map read recv_msg send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tipc_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:tun_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom relabelfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:udp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_dgram_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:unix_stream_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:vsock_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:x25_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_domain:xdp_socket { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };
allow container_domain container_runtime_tmpfs_t:dir mounton;
allow container_domain container_runtime_tmpfs_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow container_domain container_var_lib_t:file entrypoint;
allow container_domain device_node:blk_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain device_node:chr_file { append getattr ioctl lock map open read write }; [ container_use_devices ]:True
allow container_domain devpts_t:chr_file { append getattr ioctl lock read write };
allow container_domain dri_device_t:chr_file map; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file open; [ container_use_dri_devices ]:True
allow container_domain dri_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ecryptfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:dir { add_name ioctl lock read remove_name write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file execmod; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_ecryptfs ]:True
allow container_domain ecryptfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_ecryptfs ]:True
allow container_domain file_type:dir { getattr open search };
allow container_domain file_type:filesystem getattr;
allow container_domain filesystem_type:filesystem getattr;
allow container_domain fs_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { add_name getattr ioctl lock open read remove_name search write }; [ container_use_cephfs ]:True
allow container_domain fs_t:dir { getattr open search }; [ container_use_cephfs ]:True
allow container_domain fs_t:file execmod; [ container_use_cephfs ]:True
allow container_domain fs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fs_t:file { execute execute_no_trans getattr ioctl map open read }; [ container_use_cephfs ]:True
allow container_domain fs_t:filesystem { mount remount unmount };
allow container_domain fs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ container_use_cephfs ]:True
allow container_domain fuse_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain fusefs_t:dir { add_name create ioctl link lock mounton read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow container_domain fusefs_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:filesystem { mount remount unmount };
allow container_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow container_domain fusefs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow container_domain gssproxy_t:unix_stream_socket connectto;
allow container_domain gssproxy_var_lib_t:sock_file { append getattr open write };
allow container_domain gssproxy_var_run_t:sock_file { append getattr open write };
allow container_domain hugetlbfs_t:dir { add_name ioctl lock read remove_name write };
allow container_domain hugetlbfs_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };
allow container_domain init_t:alg_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:appletalk_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmpvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:atmsvc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ax25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:bluetooth_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:caif_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:can_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:dccp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:decnet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:icmp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ieee802154_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:ipx_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:irda_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:isdn_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:iucv_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:kcm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:llc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:mctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_audit_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_connector_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_crypto_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_dnrt_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_firewall_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_generic_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_iscsi_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_netfilter_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_nflog_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_rdma_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_route_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_selinux_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netlink_xfrm_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:netrom_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:nfc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:packet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:phonet_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:pppox_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:qipcrtr_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rawip_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rds_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rose_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:rxrpc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:sctp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:smc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tcp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tipc_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:tun_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:udp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_dgram_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:unix_stream_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:vsock_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:x25_socket { accept append getattr getopt ioctl lock read write };
allow container_domain init_t:xdp_socket { accept append getattr getopt ioctl lock read write };
allow container_domain kernel_t:system ipc_info;
allow container_domain kvm_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain modules_object_t:dir { ioctl lock read };
allow container_domain modules_object_t:file { getattr ioctl lock open read };
allow container_domain modules_object_t:lnk_file { getattr read };
allow container_domain mtrr_device_t:chr_file { getattr ioctl lock open read };
allow container_domain mtrr_device_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:dir { ioctl lock read };
allow container_domain net_conf_t:file { getattr ioctl lock open read };
allow container_domain net_conf_t:lnk_file { getattr read };
allow container_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file execmod; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow container_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow container_domain nfs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow container_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow container_domain nsfs_t:file { getattr ioctl lock open read };
allow container_domain nsfs_t:filesystem unmount;
allow container_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow container_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow container_domain proc_net_t:file { ioctl lock open read };
allow container_domain proc_net_t:lnk_file { getattr read };
allow container_domain proc_type:dir { getattr ioctl lock mounton open read search };
allow container_domain proc_type:file { getattr mounton };
allow container_domain ptynode:chr_file { append getattr ioctl lock read write };
allow container_domain random_device_t:chr_file { append getattr ioctl lock open read write };
allow container_domain rpm_var_cache_t:dir { ioctl lock read };
allow container_domain rpm_var_cache_t:file { getattr ioctl lock open read };
allow container_domain rpm_var_cache_t:lnk_file { getattr read };
allow container_domain rpm_var_lib_t:dir { ioctl lock read };
allow container_domain rpm_var_lib_t:file { getattr ioctl lock map open read };
allow container_domain rpm_var_lib_t:lnk_file { getattr read };
allow container_domain spc_t:unix_stream_socket { read write };
allow container_domain sssd_t:unix_stream_socket connectto;
allow container_domain sssd_var_lib_t:sock_file { append getattr open write };
allow container_domain sysctl_kernel_ns_last_pid_t:file { append write };
allow container_domain sysctl_net_t:file { append write };
allow container_domain sysctl_net_t:lnk_file { getattr read };
allow container_domain sysctl_net_unix_t:file { append write };
allow container_domain sysctl_rpc_t:file { append write };
allow container_domain sysctl_type:dir { getattr ioctl lock open read search };
allow container_domain sysctl_type:file { getattr ioctl lock open read };
allow container_domain sysfs_t:dir { ioctl lock read watch };
allow container_domain sysfs_t:file { getattr ioctl lock open read };
allow container_domain sysfs_t:lnk_file { getattr read };
allow container_domain systemd_logind_t:dbus send_msg;
allow container_domain systemd_logind_t:fd use;
allow container_domain tmpfs_t:file { append getattr ioctl lock read write };
allow container_domain tmpfs_t:filesystem { mount unmount };
allow container_domain tmpfs_t:lnk_file { getattr read };
allow container_domain tty_device_t:chr_file { append getattr ioctl lock read write };
allow container_domain ttynode:chr_file { append getattr ioctl lock read write };
allow container_domain unconfined_domain_type:fifo_file { append getattr ioctl lock map open read write };
allow container_domain urandom_device_t:chr_file { append write };
allow container_domain user_devpts_t:chr_file open;
allow container_domain userdomain:alg_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:appletalk_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmpvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:atmsvc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ax25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:bluetooth_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:caif_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:can_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:dccp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:decnet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:fifo_file { append getattr ioctl lock read write };
allow container_domain userdomain:icmp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ieee802154_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:ipx_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:irda_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:isdn_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:iucv_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:kcm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:llc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:mctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_audit_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_connector_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_crypto_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_dnrt_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_fib_lookup_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_firewall_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_generic_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_ip6fw_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_iscsi_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_kobject_uevent_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_netfilter_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_nflog_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_rdma_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_route_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_scsitransport_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_selinux_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_tcpdiag_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netlink_xfrm_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:netrom_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:nfc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:packet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:phonet_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:pppox_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:qipcrtr_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rawip_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rds_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rose_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:rxrpc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:sctp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:smc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tcp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tipc_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:tun_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:udp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_dgram_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:unix_stream_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:vsock_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:x25_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain userdomain:xdp_socket { accept append getattr getopt ioctl lock read setopt shutdown write };
allow container_domain zero_device_t:chr_file execute;
allow container_net_domain node_t:rawip_socket node_bind;
allow container_net_domain node_t:tcp_socket node_bind;
allow container_net_domain node_t:udp_socket node_bind;
allow container_net_domain port_type:sctp_socket { name_bind name_connect };
allow container_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow container_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow container_t_domain container_file_t:blk_file { map relabelfrom relabelto };
allow container_t_domain container_file_t:chr_file { execute map relabelfrom relabelto watch watch_reads };
allow container_t_domain container_file_t:dir map;
allow container_t_domain container_file_t:fifo_file { map relabelfrom relabelto };
allow container_t_domain container_file_t:filesystem { mount unmount };
allow container_t_domain container_file_t:lnk_file { map relabelfrom relabelto };
allow container_t_domain container_file_t:sock_file { map relabelfrom relabelto };
allow container_t_domain proc_t:filesystem remount;
allow container_t_domain proc_type:file { ioctl lock open read };
allow container_t_domain sysfs_t:dir mounton;
allow container_t_domain xserver_misc_device_t:chr_file getattr; [ container_use_xserver_devices ]:True
allow container_t_domain xserver_misc_device_t:chr_file map; [ container_use_xserver_devices ]:True
allow container_t_domain xserver_misc_device_t:chr_file { append getattr ioctl lock open read write }; [ container_use_xserver_devices ]:True
allow corenet_unconfined_type netif_type:netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:dccp_socket node_bind;
allow corenet_unconfined_type node_type:icmp_socket node_bind;
allow corenet_unconfined_type node_type:node { dccp_recv dccp_send enforce_dest rawip_recv rawip_send recvfrom sendto tcp_recv tcp_send udp_recv udp_send };
allow corenet_unconfined_type node_type:rawip_socket node_bind;
allow corenet_unconfined_type node_type:sctp_socket node_bind;
allow corenet_unconfined_type node_type:tcp_socket node_bind;
allow corenet_unconfined_type node_type:udp_socket node_bind;
allow corenet_unconfined_type packet_type:packet { flow_in flow_out forward_in forward_out recv relabelto send };
allow corenet_unconfined_type port_type:dccp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:rawip_socket name_bind;
allow corenet_unconfined_type port_type:sctp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow corenet_unconfined_type port_type:udp_socket { name_bind recv_msg send_msg };
allow corenet_unconfined_type unlabeled_t:infiniband_endport manage_subnet;
allow corenet_unconfined_type unlabeled_t:infiniband_pkey access;
allow corenet_unlabeled_type unlabeled_t:association { recvfrom sendto };
allow corenet_unlabeled_type unlabeled_t:dccp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:peer recv;
allow corenet_unlabeled_type unlabeled_t:rawip_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:tcp_socket recvfrom;
allow corenet_unlabeled_type unlabeled_t:udp_socket recvfrom;
allow domain abrt_dump_oops_t:process sigchld; [ deny_ptrace ]:False
allow domain abrt_helper_exec_t:file { execute getattr ioctl map open read };
allow domain abrt_helper_t:process transition;
allow domain abrt_t:dir { getattr ioctl lock open read search };
allow domain abrt_t:fifo_file { append getattr ioctl lock read write };
allow domain abrt_t:file { getattr ioctl lock open read };
allow domain abrt_t:lnk_file { getattr read };
allow domain abrt_t:process { getattr signull };
allow domain abrt_var_run_t:dir { getattr open search };
allow domain abrt_var_run_t:file { getattr ioctl lock open read };
allow domain admin_home_t:dir { getattr open search };
allow domain admin_home_t:lnk_file { getattr read };
allow domain afs_cache_t:file { read write };
allow domain afs_t:udp_socket { read write };
allow domain automount_t:fd use;
allow domain automount_t:fifo_file write;
allow domain base_file_type:dir { getattr open search };
allow domain base_ro_file_type:dir { ioctl lock read };
allow domain base_ro_file_type:file { getattr ioctl lock open read };
allow domain base_ro_file_type:lnk_file { getattr read };
allow domain cpu_online_t:dir { getattr open search };
allow domain cpu_online_t:file { getattr ioctl lock open read };
allow domain crond_t:fifo_file { append getattr ioctl lock read write };
allow domain crypt_device_t:chr_file { append getattr ioctl lock open read write };
allow domain device_t:dir { ioctl lock read };
allow domain device_t:lnk_file { getattr read };
allow domain devicekit_power_t:dbus send_msg;
allow domain devtty_t:chr_file { append getattr ioctl lock open read write };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain fonts_cache_t:dir { getattr ioctl lock open read search };
allow domain fonts_cache_t:file { getattr ioctl lock map open read };
allow domain fonts_cache_t:lnk_file { getattr read };
allow domain fonts_t:dir { getattr ioctl lock open read search };
allow domain fonts_t:file { getattr ioctl lock map open read };
allow domain fonts_t:lnk_file { getattr read };
allow domain ica_tmpfs_t:file { create getattr open };
allow domain init_t:process { sigchld signull };
allow domain initrc_tmp_t:file { open write };
allow domain install_t:fd use;
allow domain install_t:process sigchld; [ deny_ptrace ]:False
allow domain ipsec_spd_t:association polmatch;
allow domain kernel_t:system module_request; [ domain_kernel_load_modules ]:True
allow domain kmsg_device_t:chr_file { append getattr ioctl lock open write }; [ domain_can_write_kmsg ]:True
allow domain ld_so_cache_t:file { getattr ioctl lock map open read };
allow domain ld_so_t:file { execute getattr ioctl map open read };
allow domain ld_so_t:lnk_file { getattr read };
allow domain lib_t:file { execute map };
allow domain livecd_t:process sigchld; [ deny_ptrace ]:False
allow domain locale_t:dir { getattr ioctl lock open read search };
allow domain locale_t:file { getattr ioctl lock map open read };
allow domain locale_t:lnk_file { getattr read };
allow domain machineid_t:file { getattr ioctl lock open read };
allow domain man_cache_t:dir { getattr ioctl lock open read search };
allow domain man_cache_t:file { getattr ioctl lock open read };
allow domain man_cache_t:lnk_file { getattr read };
allow domain man_t:dir { getattr ioctl lock open read search };
allow domain man_t:file { getattr ioctl lock open read };
allow domain man_t:lnk_file { getattr read };
allow domain mandb_cache_t:dir { getattr open search };
allow domain mandb_cache_t:file { getattr ioctl lock open read };
allow domain mnt_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow domain mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow domain mnt_t:lnk_file { getattr read };
allow domain netlabel_peer_t:peer recv;
allow domain netlabel_peer_t:tcp_socket recvfrom;
allow domain null_device_t:chr_file { append getattr ioctl lock open read write };
allow domain pkcs11_modules_conf_t:dir { getattr ioctl lock open read search };
allow domain pkcs11_modules_conf_t:file { getattr ioctl lock map open read };
allow domain prelink_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ fips_mode ]:True
allow domain proc_t:dir { getattr open search };
allow domain proc_t:filesystem getattr;
allow domain proc_t:lnk_file { getattr read };
allow domain puppet_tmp_t:file write;
allow domain rkhunter_var_lib_t:dir { getattr open search };
allow domain rkhunter_var_lib_t:file { append getattr ioctl lock open };
allow domain root_t:dir { ioctl lock read };
allow domain root_t:lnk_file { getattr ioctl lock read };
allow domain rpm_log_t:dir { getattr open search };
allow domain rpm_script_tmp_t:dir { getattr open search };
allow domain rpm_script_tmp_t:fifo_file { append getattr ioctl lock read write };
allow domain rpm_script_tmp_t:file open;
allow domain rpm_script_tmp_t:lnk_file { getattr read };
allow domain rpm_t:fd use;
allow domain rpm_t:fifo_file { getattr ioctl lock open read };
allow domain security_t:dir { getattr open search };
allow domain security_t:filesystem getattr;
allow domain security_t:lnk_file { getattr read };
allow domain selinux_config_t:dir { getattr open search };
allow domain setrans_t:context translate;
allow domain setrans_t:unix_stream_socket connectto;
allow domain setrans_var_run_t:dir { getattr open search };
allow domain setrans_var_run_t:sock_file { append getattr open write };
allow domain sosreport_tmp_t:dir { getattr open search };
allow domain sosreport_tmp_t:file open;
allow domain spc_t:process sigchld;
allow domain spc_t:unix_stream_socket connectto;
allow domain sshd_t:fifo_file { append getattr ioctl lock read write };
allow domain sysadm_t:process sigchld; [ deny_ptrace ]:False
allow domain sysctl_crypto_t:dir { getattr ioctl lock open read search };
allow domain sysctl_crypto_t:file { getattr ioctl lock open read };
allow domain sysctl_kernel_t:dir { getattr ioctl lock open read search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:dir { getattr open search }; [ fips_mode ]:True
allow domain sysctl_kernel_t:file { getattr ioctl lock open read }; [ fips_mode ]:True
allow domain sysctl_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:dir { getattr open search };
allow domain sysctl_vm_overcommit_t:file { getattr ioctl lock open read };
allow domain sysctl_vm_t:dir { getattr open search };
allow domain sysfs_t:dir { getattr open search };
allow domain sysfs_t:filesystem getattr;
allow domain system_cronjob_t:fifo_file { append getattr ioctl lock read write };
allow domain systemd_nsresourced_runtime_t:sock_file { append getattr open write };
allow domain systemd_nsresourced_t:unix_stream_socket connectto;
allow domain systemd_resolved_t:dbus send_msg;
allow domain systemd_resolved_t:unix_stream_socket connectto;
allow domain systemd_resolved_var_run_t:dir { getattr open search };
allow domain systemd_resolved_var_run_t:sock_file { append getattr open write };
allow domain textrel_shlib_t:file { execmod execute map };
allow domain tmp_t:file { open write };
allow domain tmp_t:lnk_file { getattr read };
allow domain tmpfile:file { append getattr ioctl lock read };
allow domain tmpfs_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow domain unconfined_domain_type:association recvfrom;
allow domain unconfined_domain_type:peer recv;
allow domain unconfined_domain_type:tcp_socket recvfrom;
allow domain unconfined_t:fd use;
allow domain unconfined_t:process sigchld;
allow domain unlabeled_t:packet { recv send };
allow domain urandom_device_t:chr_file { getattr ioctl lock open read };
allow domain usermodehelper_t:dir { getattr ioctl lock open read search };
allow domain usermodehelper_t:file { getattr ioctl lock open read };
allow domain usermodehelper_t:lnk_file { getattr read };
allow domain usr_t:file map;
allow domain var_log_t:dir { getattr open search };
allow domain var_run_t:dir { ioctl lock read };
allow domain var_run_t:lnk_file { getattr read };
allow domain var_t:lnk_file { getattr read };
allow domain vmtools_unconfined_t:dbus send_msg;
allow domain zero_device_t:chr_file { append getattr ioctl lock map open read write };
allow kernel_system_state_reader proc_t:dir { ioctl lock read };
allow kernel_system_state_reader proc_t:file { getattr ioctl lock open read };
allow mycontainer_t mycontainer_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:association sendto;
allow mycontainer_t mycontainer_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow mycontainer_t mycontainer_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow mycontainer_t mycontainer_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow mycontainer_t mycontainer_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:dir { getattr ioctl lock open read search watch };
allow mycontainer_t mycontainer_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow mycontainer_t mycontainer_t:file { append getattr ioctl lock open read write };
allow mycontainer_t mycontainer_t:filesystem associate;
allow mycontainer_t mycontainer_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:key { create read setattr view write };
allow mycontainer_t mycontainer_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:lnk_file { getattr ioctl lock open read setattr };
allow mycontainer_t mycontainer_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:msg { receive send };
allow mycontainer_t mycontainer_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow mycontainer_t mycontainer_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow mycontainer_t mycontainer_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:passwd rootok;
allow mycontainer_t mycontainer_t:peer recv;
allow mycontainer_t mycontainer_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:process ptrace; [ deny_ptrace ]:False
allow mycontainer_t mycontainer_t:process ptrace; [ deny_ptrace ]:False
allow mycontainer_t mycontainer_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow mycontainer_t mycontainer_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:user_namespace create;
allow mycontainer_t mycontainer_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow sandbox_net_domain node_t:rawip_socket node_bind;
allow sandbox_net_domain node_t:tcp_socket node_bind;
allow sandbox_net_domain node_t:udp_socket node_bind;
allow sandbox_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow sandbox_net_domain port_type:udp_socket { name_bind recv_msg send_msg };
allow sandbox_net_domain proc_net_t:dir { getattr ioctl lock open read search };
allow sandbox_net_domain proc_net_t:file { getattr ioctl lock open read };
allow sandbox_net_domain proc_net_t:lnk_file { getattr read };
allow sandbox_net_domain sssd_t:unix_stream_socket connectto;
allow sandbox_net_domain sssd_var_lib_t:dir { getattr open search };
allow sandbox_net_domain sssd_var_lib_t:sock_file { append getattr open write };
allow sandbox_net_domain svirt_home_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain svirt_home_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow sandbox_net_domain svirt_home_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow sandbox_net_domain systemd_logind_t:dbus send_msg;
allow sandbox_net_domain systemd_logind_t:fd use;
allow sandbox_net_domain virt_home_t:dir { add_name getattr ioctl lock open read remove_name search write };
allow svirt_sandbox_domain cifs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:dir { ioctl lock read }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain cifs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_samba ]:True
allow svirt_sandbox_domain container_devpts_t:chr_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain container_file_t:blk_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:chr_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:dir { add_name create execmod ioctl link lock read relabelfrom relabelto remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_file_t:file { append create execmod execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:filesystem remount;
allow svirt_sandbox_domain container_file_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write };
allow svirt_sandbox_domain container_file_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };
allow svirt_sandbox_domain container_ro_file_t:dir { ioctl lock read };
allow svirt_sandbox_domain container_ro_file_t:file { execmod execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain container_ro_file_t:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain container_runtime_domain:file { getattr ioctl lock open read };
allow svirt_sandbox_domain container_runtime_domain:lnk_file { getattr read };
allow svirt_sandbox_domain container_runtime_domain:process getattr;
allow svirt_sandbox_domain container_var_lib_t:dir { add_name ioctl lock read remove_name write };
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain exec_type:lnk_file { getattr read };
allow svirt_sandbox_domain file_type:dir { getattr open search };
allow svirt_sandbox_domain file_type:filesystem getattr;
allow svirt_sandbox_domain filesystem_type:filesystem getattr;
allow svirt_sandbox_domain fs_t:dir { getattr open search };
allow svirt_sandbox_domain fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain fs_t:lnk_file { getattr ioctl lock read write };
allow svirt_sandbox_domain fusefs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:dir { add_name ioctl lock read remove_name write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem mount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:filesystem unmount; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain fusefs_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink watch watch_reads write }; [ virt_sandbox_use_fusefs ]:True
allow svirt_sandbox_domain httpd_modules_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_modules_t:lnk_file { getattr read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain httpd_sys_content_t:dir { ioctl lock read }; [ virt_sandbox_share_apache_content ]:True
allow svirt_sandbox_domain hugetlbfs_t:file { append getattr ioctl lock map open read write };
allow svirt_sandbox_domain hwdata_t:dir { ioctl lock read };
allow svirt_sandbox_domain hwdata_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain hwdata_t:lnk_file { getattr read };
allow svirt_sandbox_domain init_t:fd use;
allow svirt_sandbox_domain initrc_t:fd use;
allow svirt_sandbox_domain initrc_t:process sigchld;
allow svirt_sandbox_domain mountpoint:file entrypoint;
allow svirt_sandbox_domain nfs_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { add_name ioctl lock read remove_name write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:dir { ioctl lock read }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:file { append create link rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem mount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:filesystem unmount; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:lnk_file { append create ioctl link lock rename setattr unlink watch watch_reads write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain nfs_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain onload_fs_t:fifo_file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:file { append getattr ioctl lock open read write };
allow svirt_sandbox_domain onload_fs_t:sock_file { append getattr ioctl open read write };
allow svirt_sandbox_domain proc_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain proc_type:file getattr;
allow svirt_sandbox_domain spc_t:fd use;
allow svirt_sandbox_domain sshd_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain sshd_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sshd_t:fd use;
allow svirt_sandbox_domain sshd_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain sshd_t:lnk_file { getattr read };
allow svirt_sandbox_domain sshd_t:process { getattr sigchld };
allow svirt_sandbox_domain svirt_file_type:blk_file mounton;
allow svirt_sandbox_domain svirt_file_type:chr_file mounton;
allow svirt_sandbox_domain svirt_file_type:dir mounton;
allow svirt_sandbox_domain svirt_file_type:fifo_file mounton;
allow svirt_sandbox_domain svirt_file_type:file mounton;
allow svirt_sandbox_domain svirt_file_type:lnk_file mounton;
allow svirt_sandbox_domain svirt_file_type:sock_file mounton;
allow svirt_sandbox_domain sysadm_t:fd use;
allow svirt_sandbox_domain sysadm_t:process sigchld;
allow svirt_sandbox_domain sysctl_fs_t:file { append write }; [ virt_use_nfs ]:True
allow svirt_sandbox_domain sysctl_net_t:file { append write };
allow svirt_sandbox_domain sysctl_net_t:lnk_file { getattr read };
allow svirt_sandbox_domain sysctl_net_unix_t:file { append write };
allow svirt_sandbox_domain sysctl_type:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain sysctl_type:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:dir { getattr ioctl lock open read search };
allow svirt_sandbox_domain systemd_machined_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain systemd_machined_t:lnk_file { getattr read };
allow svirt_sandbox_domain systemd_machined_t:process getattr;
allow svirt_sandbox_domain tmpfs_t:file { append getattr ioctl lock read write };
allow svirt_sandbox_domain tmpfs_t:lnk_file { getattr read };
allow svirt_sandbox_domain udev_var_run_t:dir { ioctl lock read };
allow svirt_sandbox_domain udev_var_run_t:file { getattr ioctl lock open read };
allow svirt_sandbox_domain udev_var_run_t:lnk_file { getattr read };
allow svirt_sandbox_domain user_devpts_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain user_tty_device_t:chr_file { append getattr ioctl lock read write };
allow svirt_sandbox_domain var_lock_t:lnk_file { getattr read };
allow svirt_sandbox_domain virsh_t:fd use;
allow svirt_sandbox_domain virsh_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:fd use;
allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { append bind connect connectto getattr getopt ioctl lock read setattr setopt shutdown write };
allow syslog_client_type console_device_t:chr_file { append getattr ioctl lock open write };
allow syslog_client_type devlog_t:lnk_file { getattr read };
allow syslog_client_type devlog_t:sock_file { append getattr open write };
allow syslog_client_type kernel_t:unix_dgram_socket sendto;
allow syslog_client_type kernel_t:unix_stream_socket { connectto getattr };
allow syslog_client_type syslogd_t:unix_dgram_socket sendto;
allow syslog_client_type syslogd_t:unix_stream_socket connectto;
allow syslog_client_type syslogd_var_run_t:dir { getattr open search };
allow syslog_client_type syslogd_var_run_t:sock_file { append getattr open write };
[-- Attachment #4: mycontainer_t.rules --]
[-- Type: text/plain, Size: 75644 bytes --]
$ sesearch -A -t mycontainer_t
allow NetworkManager_dispatcher_dnssec_t domain:dir { getattr ioctl lock open read search };
allow NetworkManager_dispatcher_dnssec_t domain:file { getattr ioctl lock open read };
allow NetworkManager_dispatcher_dnssec_t domain:lnk_file { getattr read };
allow NetworkManager_t domain:dir { getattr ioctl lock open read search };
allow NetworkManager_t domain:file { getattr ioctl lock open read };
allow NetworkManager_t domain:lnk_file { getattr read };
allow abrt_dump_oops_t domain:dir { getattr ioctl lock open read search };
allow abrt_dump_oops_t domain:file { getattr ioctl lock open read };
allow abrt_dump_oops_t domain:lnk_file { getattr read };
allow abrt_dump_oops_t domain:process ptrace; [ deny_ptrace ]:False
allow abrt_dump_oops_t domain:process { getattr signull };
allow abrt_helper_t domain:dir { getattr ioctl lock open read search };
allow abrt_helper_t domain:fd use;
allow abrt_helper_t domain:fifo_file { append getattr ioctl lock read write };
allow abrt_helper_t domain:file { getattr ioctl lock open read };
allow abrt_helper_t domain:lnk_file { getattr read };
allow abrt_helper_t domain:process sigchld;
allow abrt_t domain:dir { getattr ioctl lock open read search };
allow abrt_t domain:file { getattr ioctl lock open read write };
allow abrt_t domain:lnk_file { getattr read };
allow abrt_t domain:process { getattr setrlimit signull };
allow antivirus_domain domain:dir { getattr ioctl lock open read search };
allow antivirus_domain domain:file { getattr ioctl lock open read };
allow antivirus_domain domain:lnk_file { getattr read };
allow apcupsd_t domain:process signull;
allow apmd_t domain:dir { getattr ioctl lock open read search };
allow apmd_t domain:file { getattr ioctl lock open read };
allow apmd_t domain:lnk_file { getattr read };
allow auditadm_t domain:process sigkill;
allow auditctl_t domain:dir { getattr ioctl lock open read search };
allow auditctl_t domain:file { getattr ioctl lock open read };
allow auditctl_t domain:lnk_file { getattr read };
allow auditd_t domain:dir { getattr ioctl lock open read search };
allow auditd_t domain:file { getattr ioctl lock open read };
allow auditd_t domain:lnk_file { getattr read };
allow bluetooth_helper_t domain:dir { getattr ioctl lock open read search };
allow bluetooth_helper_t domain:file { getattr ioctl lock open read };
allow bluetooth_helper_t domain:lnk_file { getattr read };
allow boinc_domain domain:dir { getattr ioctl lock open read search };
allow boinc_domain domain:file { getattr ioctl lock open read };
allow boinc_domain domain:lnk_file { getattr read };
allow boltd_t domain:dir { getattr ioctl lock open read search };
allow boltd_t domain:file { getattr ioctl lock open read };
allow boltd_t domain:lnk_file { getattr read };
allow cardmgr_t pcmcia_typeattr_1:dir { getattr ioctl lock open read search };
allow cardmgr_t pcmcia_typeattr_1:file { getattr ioctl lock open read };
allow cardmgr_t pcmcia_typeattr_1:lnk_file { getattr read };
allow cardmgr_t pcmcia_typeattr_1:process getattr;
allow cfengine_execd_t domain:dir { getattr ioctl lock open read search };
allow cfengine_execd_t domain:file { getattr ioctl lock open read };
allow cfengine_execd_t domain:lnk_file { getattr read };
allow cfengine_monitord_t domain:dir { getattr ioctl lock open read search };
allow cfengine_monitord_t domain:file { getattr ioctl lock open read };
allow cfengine_monitord_t domain:lnk_file { getattr read };
allow cgclear_t domain:process setsched;
allow cgred_t domain:dir { getattr ioctl lock open read search };
allow cgred_t domain:file { getattr ioctl lock open read };
allow cgred_t domain:lnk_file { getattr read };
allow cgred_t domain:process setsched;
allow collectd_t domain:dir { getattr ioctl lock open read search };
allow collectd_t domain:file { getattr ioctl lock open read };
allow collectd_t domain:lnk_file { getattr read };
allow condor_master_t domain:dir { getattr ioctl lock open read search };
allow condor_master_t domain:file { getattr ioctl lock open read };
allow condor_master_t domain:lnk_file { getattr read };
allow condor_procd_t domain:dir { getattr ioctl lock open read search };
allow condor_procd_t domain:file { getattr ioctl lock open read };
allow condor_procd_t domain:lnk_file { getattr read };
allow consolekit_t domain:dir { getattr ioctl lock open read search };
allow consolekit_t domain:file { getattr ioctl lock open read };
allow consolekit_t domain:lnk_file { getattr read };
allow container_runtime_domain container_domain:file relabelfrom;
allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
allow cpuspeed_t domain:dir { getattr ioctl lock open read search };
allow cpuspeed_t domain:file { getattr ioctl lock open read };
allow cpuspeed_t domain:lnk_file { getattr read };
allow cupsd_t domain:dir { getattr ioctl lock open read search };
allow cupsd_t domain:file { getattr ioctl lock open read };
allow cupsd_t domain:lnk_file { getattr read };
allow devicekit_power_t domain:dbus send_msg;
allow dnssec_trigger_t domain:dir { getattr ioctl lock open read search };
allow dnssec_trigger_t domain:file { getattr ioctl lock open read };
allow dnssec_trigger_t domain:lnk_file { getattr read };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow fsdaemon_t domain:process signull;
allow glusterd_t domain:alg_socket getattr;
allow glusterd_t domain:appletalk_socket getattr;
allow glusterd_t domain:atmpvc_socket getattr;
allow glusterd_t domain:atmsvc_socket getattr;
allow glusterd_t domain:ax25_socket getattr;
allow glusterd_t domain:bluetooth_socket getattr;
allow glusterd_t domain:caif_socket getattr;
allow glusterd_t domain:can_socket getattr;
allow glusterd_t domain:dccp_socket getattr;
allow glusterd_t domain:decnet_socket getattr;
allow glusterd_t domain:dir { getattr ioctl lock open read search };
allow glusterd_t domain:file { getattr ioctl lock open read };
allow glusterd_t domain:icmp_socket getattr;
allow glusterd_t domain:ieee802154_socket getattr;
allow glusterd_t domain:ipx_socket getattr;
allow glusterd_t domain:irda_socket getattr;
allow glusterd_t domain:isdn_socket getattr;
allow glusterd_t domain:iucv_socket getattr;
allow glusterd_t domain:kcm_socket getattr;
allow glusterd_t domain:llc_socket getattr;
allow glusterd_t domain:lnk_file { getattr read };
allow glusterd_t domain:mctp_socket getattr;
allow glusterd_t domain:netlink_audit_socket getattr;
allow glusterd_t domain:netlink_connector_socket getattr;
allow glusterd_t domain:netlink_crypto_socket getattr;
allow glusterd_t domain:netlink_dnrt_socket getattr;
allow glusterd_t domain:netlink_fib_lookup_socket getattr;
allow glusterd_t domain:netlink_firewall_socket getattr;
allow glusterd_t domain:netlink_generic_socket getattr;
allow glusterd_t domain:netlink_ip6fw_socket getattr;
allow glusterd_t domain:netlink_iscsi_socket getattr;
allow glusterd_t domain:netlink_kobject_uevent_socket getattr;
allow glusterd_t domain:netlink_netfilter_socket getattr;
allow glusterd_t domain:netlink_nflog_socket getattr;
allow glusterd_t domain:netlink_rdma_socket getattr;
allow glusterd_t domain:netlink_route_socket getattr;
allow glusterd_t domain:netlink_scsitransport_socket getattr;
allow glusterd_t domain:netlink_selinux_socket getattr;
allow glusterd_t domain:netlink_socket getattr;
allow glusterd_t domain:netlink_tcpdiag_socket getattr;
allow glusterd_t domain:netlink_xfrm_socket getattr;
allow glusterd_t domain:netrom_socket getattr;
allow glusterd_t domain:nfc_socket getattr;
allow glusterd_t domain:packet_socket getattr;
allow glusterd_t domain:phonet_socket getattr;
allow glusterd_t domain:pppox_socket getattr;
allow glusterd_t domain:qipcrtr_socket getattr;
allow glusterd_t domain:rawip_socket getattr;
allow glusterd_t domain:rds_socket getattr;
allow glusterd_t domain:rose_socket getattr;
allow glusterd_t domain:rxrpc_socket getattr;
allow glusterd_t domain:sctp_socket getattr;
allow glusterd_t domain:smc_socket getattr;
allow glusterd_t domain:tcp_socket getattr;
allow glusterd_t domain:tipc_socket getattr;
allow glusterd_t domain:tun_socket getattr;
allow glusterd_t domain:udp_socket getattr;
allow glusterd_t domain:unix_dgram_socket getattr;
allow glusterd_t domain:unix_stream_socket getattr;
allow glusterd_t domain:vsock_socket getattr;
allow glusterd_t domain:x25_socket getattr;
allow glusterd_t domain:xdp_socket getattr;
allow gnomesystemmm_t domain:dir { getattr open search };
allow gnomesystemmm_t domain:process { setsched sigkill signal sigstop };
allow gssd_t domain:key { create read setattr view write };
allow gssproxy_t domain:dir { getattr ioctl lock open read search };
allow gssproxy_t domain:file { getattr ioctl lock open read };
allow gssproxy_t domain:lnk_file { getattr read };
allow httpd_t domain:process getpgid; [ httpd_run_stickshift ]:True
allow hypervkvp_t domain:dir { getattr ioctl lock open read search };
allow hypervkvp_t domain:file { getattr ioctl lock open read };
allow hypervkvp_t domain:lnk_file { getattr read };
allow ifconfig_t domain:dir { getattr ioctl lock open read search };
allow ifconfig_t domain:file { getattr ioctl lock open read };
allow ifconfig_t domain:lnk_file { getattr read };
allow init_t domain:dir { getattr ioctl lock open read search };
allow init_t domain:file { getattr ioctl lock open read };
allow init_t domain:lnk_file { getattr read };
allow init_t domain:process { getattr getpgid noatsecure rlimitinh setrlimit setsched sigchld sigkill signal signull sigstop };
allow init_t svirt_sandbox_domain:process transition;
allow init_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow initrc_t svirt_sandbox_domain:process transition;
allow insights_core_t domain:alg_socket getattr;
allow insights_core_t domain:appletalk_socket getattr;
allow insights_core_t domain:atmpvc_socket getattr;
allow insights_core_t domain:atmsvc_socket getattr;
allow insights_core_t domain:ax25_socket getattr;
allow insights_core_t domain:bluetooth_socket getattr;
allow insights_core_t domain:caif_socket getattr;
allow insights_core_t domain:can_socket getattr;
allow insights_core_t domain:dccp_socket getattr;
allow insights_core_t domain:decnet_socket getattr;
allow insights_core_t domain:dir { getattr ioctl lock open read search };
allow insights_core_t domain:fifo_file getattr;
allow insights_core_t domain:file { getattr ioctl lock open read };
allow insights_core_t domain:icmp_socket getattr;
allow insights_core_t domain:ieee802154_socket getattr;
allow insights_core_t domain:ipx_socket getattr;
allow insights_core_t domain:irda_socket getattr;
allow insights_core_t domain:isdn_socket getattr;
allow insights_core_t domain:iucv_socket getattr;
allow insights_core_t domain:kcm_socket getattr;
allow insights_core_t domain:key { read view };
allow insights_core_t domain:llc_socket getattr;
allow insights_core_t domain:lnk_file { getattr read };
allow insights_core_t domain:mctp_socket getattr;
allow insights_core_t domain:netlink_audit_socket getattr;
allow insights_core_t domain:netlink_connector_socket getattr;
allow insights_core_t domain:netlink_crypto_socket getattr;
allow insights_core_t domain:netlink_dnrt_socket getattr;
allow insights_core_t domain:netlink_fib_lookup_socket getattr;
allow insights_core_t domain:netlink_firewall_socket getattr;
allow insights_core_t domain:netlink_generic_socket getattr;
allow insights_core_t domain:netlink_ip6fw_socket getattr;
allow insights_core_t domain:netlink_iscsi_socket getattr;
allow insights_core_t domain:netlink_kobject_uevent_socket getattr;
allow insights_core_t domain:netlink_netfilter_socket getattr;
allow insights_core_t domain:netlink_nflog_socket getattr;
allow insights_core_t domain:netlink_rdma_socket getattr;
allow insights_core_t domain:netlink_route_socket getattr;
allow insights_core_t domain:netlink_scsitransport_socket getattr;
allow insights_core_t domain:netlink_selinux_socket getattr;
allow insights_core_t domain:netlink_socket getattr;
allow insights_core_t domain:netlink_tcpdiag_socket getattr;
allow insights_core_t domain:netlink_xfrm_socket getattr;
allow insights_core_t domain:netrom_socket getattr;
allow insights_core_t domain:nfc_socket getattr;
allow insights_core_t domain:packet_socket getattr;
allow insights_core_t domain:phonet_socket getattr;
allow insights_core_t domain:pppox_socket getattr;
allow insights_core_t domain:process getattr;
allow insights_core_t domain:qipcrtr_socket getattr;
allow insights_core_t domain:rawip_socket getattr;
allow insights_core_t domain:rds_socket getattr;
allow insights_core_t domain:rose_socket getattr;
allow insights_core_t domain:rxrpc_socket getattr;
allow insights_core_t domain:sctp_socket getattr;
allow insights_core_t domain:smc_socket getattr;
allow insights_core_t domain:tcp_socket getattr;
allow insights_core_t domain:tipc_socket getattr;
allow insights_core_t domain:tun_socket getattr;
allow insights_core_t domain:udp_socket getattr;
allow insights_core_t domain:unix_dgram_socket getattr;
allow insights_core_t domain:unix_stream_socket { connectto getattr };
allow insights_core_t domain:vsock_socket getattr;
allow insights_core_t domain:x25_socket getattr;
allow insights_core_t domain:xdp_socket getattr;
allow iotop_t domain:dir { getattr ioctl lock open read search };
allow iotop_t domain:file { getattr ioctl lock open read };
allow iotop_t domain:lnk_file { getattr read };
allow iotop_t domain:process getsched;
allow iscsid_t domain:dir { getattr ioctl lock open read search };
allow iscsid_t domain:file { getattr ioctl lock open read };
allow iscsid_t domain:lnk_file { getattr read };
allow keepalived_t domain:dir { getattr ioctl lock open read search };
allow keepalived_t domain:file { getattr ioctl lock open read };
allow keepalived_t domain:lnk_file { getattr read };
allow keepalived_t domain:process getattr;
allow kernel_t domain:alg_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:appletalk_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:atmpvc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:atmsvc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ax25_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:bluetooth_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:caif_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:can_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:dccp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:decnet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:dir { getattr open search };
allow kernel_t domain:fd use;
allow kernel_t domain:icmp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ieee802154_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ipx_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:irda_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:isdn_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:iucv_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:kcm_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:llc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:mctp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_audit_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_connector_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_crypto_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_dnrt_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_fib_lookup_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_firewall_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_generic_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_ip6fw_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_iscsi_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_kobject_uevent_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_netfilter_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_nflog_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_rdma_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_route_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_scsitransport_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_selinux_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_tcpdiag_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_xfrm_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netrom_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:nfc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:packet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:phonet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:pppox_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:process signal;
allow kernel_t domain:qipcrtr_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rawip_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rds_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rose_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rxrpc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:sctp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:smc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tcp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tipc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tun_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:udp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:unix_dgram_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:unix_stream_socket { accept append bind connect connectto getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:vsock_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:x25_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:xdp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow keyutils_request_t domain:key { create read setattr view write };
allow ksmtuned_t domain:dir { getattr ioctl lock open read search };
allow ksmtuned_t domain:file { getattr ioctl lock open read };
allow ksmtuned_t domain:lnk_file { getattr read };
allow ktlshd_t domain:key { read view };
allow login_pgm domain:dir { getattr ioctl lock open read search };
allow login_pgm domain:file { getattr ioctl lock open read };
allow login_pgm domain:lnk_file { getattr read };
allow login_pgm domain:process sigkill;
allow logrotate_t domain:dir { getattr ioctl lock open read search };
allow logrotate_t domain:file { getattr ioctl lock open read };
allow logrotate_t domain:lnk_file { getattr read };
allow logrotate_t domain:process signal;
allow logwatch_t domain:dir { getattr ioctl lock open read search };
allow logwatch_t domain:file { getattr ioctl lock open read };
allow logwatch_t domain:lnk_file { getattr read };
allow mdadm_t domain:dir { getattr ioctl lock open read search };
allow mdadm_t domain:file { getattr ioctl lock open read };
allow mdadm_t domain:lnk_file { getattr read };
allow mock_t domain:dir { getattr ioctl lock open read search };
allow mock_t domain:file { getattr ioctl lock open read };
allow mock_t domain:lnk_file { getattr read };
allow mon_statd_domain domain:dir { getattr ioctl lock open read search };
allow mon_statd_domain domain:file { getattr ioctl lock open read };
allow mon_statd_domain domain:lnk_file { getattr read };
allow munin_t domain:dir { getattr ioctl lock open read search };
allow munin_t domain:file { getattr ioctl lock open read };
allow munin_t domain:lnk_file { getattr read };
allow mycontainer_t mycontainer_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:association sendto;
allow mycontainer_t mycontainer_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow mycontainer_t mycontainer_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow mycontainer_t mycontainer_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow mycontainer_t mycontainer_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow mycontainer_t mycontainer_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:dir { getattr ioctl lock open read search watch };
allow mycontainer_t mycontainer_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow mycontainer_t mycontainer_t:file { append getattr ioctl lock open read write };
allow mycontainer_t mycontainer_t:filesystem associate;
allow mycontainer_t mycontainer_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:key { create read setattr view write };
allow mycontainer_t mycontainer_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:lnk_file { getattr ioctl lock open read setattr };
allow mycontainer_t mycontainer_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:msg { receive send };
allow mycontainer_t mycontainer_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow mycontainer_t mycontainer_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow mycontainer_t mycontainer_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:passwd rootok;
allow mycontainer_t mycontainer_t:peer recv;
allow mycontainer_t mycontainer_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:process ptrace; [ deny_ptrace ]:False
allow mycontainer_t mycontainer_t:process ptrace; [ deny_ptrace ]:False
allow mycontainer_t mycontainer_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow mycontainer_t mycontainer_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow mycontainer_t mycontainer_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:user_namespace create;
allow mycontainer_t mycontainer_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mycontainer_t mycontainer_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow mysqld_safe_t domain:dir { getattr ioctl lock open read search };
allow mysqld_safe_t domain:file { getattr ioctl lock open read };
allow mysqld_safe_t domain:lnk_file { getattr read };
allow mysqld_t domain:dir { getattr ioctl lock open read search };
allow mysqld_t domain:file { getattr ioctl lock open read };
allow mysqld_t domain:lnk_file { getattr read };
allow nagios_openshift_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_openshift_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_openshift_plugin_t domain:lnk_file { getattr read };
allow nagios_services_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_services_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_services_plugin_t domain:lnk_file { getattr read };
allow nagios_system_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_system_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_system_plugin_t domain:lnk_file { getattr read };
allow nagios_t domain:dir { getattr ioctl lock open read search };
allow nagios_t domain:file { getattr ioctl lock open read };
allow nagios_t domain:lnk_file { getattr read };
allow ncftool_t domain:dir { getattr ioctl lock open read search };
allow ncftool_t domain:file { getattr ioctl lock open read };
allow ncftool_t domain:lnk_file { getattr read };
allow neutron_t domain:dir { getattr ioctl lock open read search };
allow neutron_t domain:file { getattr ioctl lock open read };
allow neutron_t domain:lnk_file { getattr read };
allow nrpe_t domain:dir { getattr ioctl lock open read search };
allow nrpe_t domain:file { getattr ioctl lock open read };
allow nrpe_t domain:lnk_file { getattr read };
allow nscd_t domain:dir { getattr open search };
allow numad_t domain:dir { getattr ioctl lock open read search };
allow numad_t domain:file { getattr ioctl lock open read };
allow numad_t domain:lnk_file { getattr read };
allow numad_t domain:process { setsched signull };
allow passenger_t domain:dir { getattr ioctl lock open read search };
allow passenger_t domain:file { getattr ioctl lock open read };
allow passenger_t domain:lnk_file { getattr read };
allow pcp_pmcd_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmcd_t domain:file { getattr ioctl lock open read };
allow pcp_pmcd_t domain:lnk_file { getattr read };
allow pcp_pmcd_t domain:process getattr;
allow pcp_pmie_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmie_t domain:file { getattr ioctl lock open read };
allow pcp_pmie_t domain:lnk_file { getattr read };
allow pcp_pmlogger_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmlogger_t domain:file { getattr ioctl lock open read };
allow pcp_pmlogger_t domain:lnk_file { getattr read };
allow pcscd_t domain:dir { getattr ioctl lock open read search };
allow pcscd_t domain:file { getattr ioctl lock open read };
allow pcscd_t domain:lnk_file { getattr read };
allow pegasus_t domain:dir { getattr ioctl lock open read search };
allow pegasus_t domain:file { getattr ioctl lock open read };
allow pegasus_t domain:lnk_file { getattr read };
allow policykit_t domain:dir { getattr ioctl lock open read search };
allow policykit_t domain:file { getattr ioctl lock open read };
allow policykit_t domain:lnk_file { getattr read };
allow psad_t domain:dir { getattr ioctl lock open read search };
allow psad_t domain:file { getattr ioctl lock open read };
allow psad_t domain:lnk_file { getattr read };
allow puppetmaster_t domain:dir { getattr ioctl lock open read search };
allow puppetmaster_t domain:file { getattr ioctl lock open read };
allow puppetmaster_t domain:lnk_file { getattr read };
allow rabbitmq_t domain:dir { getattr ioctl lock open read search };
allow rabbitmq_t domain:file { getattr ioctl lock open read };
allow rabbitmq_t domain:lnk_file { getattr read };
allow racoon_t domain:association setcontext;
allow readahead_t domain:dir { getattr ioctl lock open read search };
allow readahead_t domain:file { getattr ioctl lock open read };
allow readahead_t domain:lnk_file { getattr read };
allow rhcd_t domain:alg_socket getattr;
allow rhcd_t domain:appletalk_socket getattr;
allow rhcd_t domain:atmpvc_socket getattr;
allow rhcd_t domain:atmsvc_socket getattr;
allow rhcd_t domain:ax25_socket getattr;
allow rhcd_t domain:bluetooth_socket getattr;
allow rhcd_t domain:caif_socket getattr;
allow rhcd_t domain:can_socket getattr;
allow rhcd_t domain:dccp_socket getattr;
allow rhcd_t domain:decnet_socket getattr;
allow rhcd_t domain:dir { getattr ioctl lock open read search };
allow rhcd_t domain:fifo_file getattr;
allow rhcd_t domain:file { getattr ioctl lock open read };
allow rhcd_t domain:icmp_socket getattr;
allow rhcd_t domain:ieee802154_socket getattr;
allow rhcd_t domain:ipx_socket getattr;
allow rhcd_t domain:irda_socket getattr;
allow rhcd_t domain:isdn_socket getattr;
allow rhcd_t domain:iucv_socket getattr;
allow rhcd_t domain:kcm_socket getattr;
allow rhcd_t domain:llc_socket getattr;
allow rhcd_t domain:lnk_file { getattr read };
allow rhcd_t domain:mctp_socket getattr;
allow rhcd_t domain:netlink_audit_socket getattr;
allow rhcd_t domain:netlink_connector_socket getattr;
allow rhcd_t domain:netlink_crypto_socket getattr;
allow rhcd_t domain:netlink_dnrt_socket getattr;
allow rhcd_t domain:netlink_fib_lookup_socket getattr;
allow rhcd_t domain:netlink_firewall_socket getattr;
allow rhcd_t domain:netlink_generic_socket getattr;
allow rhcd_t domain:netlink_ip6fw_socket getattr;
allow rhcd_t domain:netlink_iscsi_socket getattr;
allow rhcd_t domain:netlink_kobject_uevent_socket getattr;
allow rhcd_t domain:netlink_netfilter_socket getattr;
allow rhcd_t domain:netlink_nflog_socket getattr;
allow rhcd_t domain:netlink_rdma_socket getattr;
allow rhcd_t domain:netlink_route_socket getattr;
allow rhcd_t domain:netlink_scsitransport_socket getattr;
allow rhcd_t domain:netlink_selinux_socket getattr;
allow rhcd_t domain:netlink_socket getattr;
allow rhcd_t domain:netlink_tcpdiag_socket getattr;
allow rhcd_t domain:netlink_xfrm_socket getattr;
allow rhcd_t domain:netrom_socket getattr;
allow rhcd_t domain:nfc_socket getattr;
allow rhcd_t domain:packet_socket getattr;
allow rhcd_t domain:phonet_socket getattr;
allow rhcd_t domain:pppox_socket getattr;
allow rhcd_t domain:qipcrtr_socket getattr;
allow rhcd_t domain:rawip_socket getattr;
allow rhcd_t domain:rds_socket getattr;
allow rhcd_t domain:rose_socket getattr;
allow rhcd_t domain:rxrpc_socket getattr;
allow rhcd_t domain:sctp_socket getattr;
allow rhcd_t domain:smc_socket getattr;
allow rhcd_t domain:tcp_socket getattr;
allow rhcd_t domain:tipc_socket getattr;
allow rhcd_t domain:tun_socket getattr;
allow rhcd_t domain:udp_socket getattr;
allow rhcd_t domain:unix_dgram_socket getattr;
allow rhcd_t domain:unix_stream_socket getattr;
allow rhcd_t domain:vsock_socket getattr;
allow rhcd_t domain:x25_socket getattr;
allow rhcd_t domain:xdp_socket getattr;
allow rhsmcertd_t domain:dir { getattr ioctl lock open read search };
allow rhsmcertd_t domain:file { getattr ioctl lock open read };
allow rhsmcertd_t domain:lnk_file { getattr read };
allow rhsmcertd_t domain:process signull;
allow ricci_modcluster_t domain:dir { getattr ioctl lock open read search };
allow ricci_modcluster_t domain:file { getattr ioctl lock open read };
allow ricci_modcluster_t domain:lnk_file { getattr read };
allow ricci_modclusterd_t domain:dir { getattr ioctl lock open read search };
allow ricci_modclusterd_t domain:file { getattr ioctl lock open read };
allow ricci_modclusterd_t domain:lnk_file { getattr read };
allow ricci_modlog_t domain:dir { getattr ioctl lock open read search };
allow ricci_modlog_t domain:file { getattr ioctl lock open read };
allow ricci_modlog_t domain:lnk_file { getattr read };
allow ricci_modstorage_t domain:dir { getattr ioctl lock open read search };
allow ricci_modstorage_t domain:file { getattr ioctl lock open read };
allow ricci_modstorage_t domain:lnk_file { getattr read };
allow ricci_t domain:dir { getattr ioctl lock open read search };
allow ricci_t domain:file { getattr ioctl lock open read };
allow ricci_t domain:lnk_file { getattr read };
allow rtkit_daemon_t domain:dir { getattr ioctl lock open read search };
allow rtkit_daemon_t domain:file { getattr ioctl lock open read };
allow rtkit_daemon_t domain:lnk_file { getattr read };
allow rtkit_daemon_t domain:process getsched;
allow sbd_t domain:dir { getattr ioctl lock open read search };
allow sbd_t domain:file { getattr ioctl lock open read };
allow sbd_t domain:lnk_file { getattr read };
allow sblim_gatherd_t domain:dir { getattr ioctl lock open read search };
allow sblim_gatherd_t domain:file { getattr ioctl lock open read };
allow sblim_gatherd_t domain:lnk_file { getattr read };
allow sblim_sfcbd_t domain:dir { getattr ioctl lock open read search };
allow sblim_sfcbd_t domain:file { getattr ioctl lock open read };
allow sblim_sfcbd_t domain:lnk_file { getattr read };
allow screen_domain domain:dir { getattr ioctl lock open read search };
allow screen_domain domain:file { getattr ioctl lock open read };
allow screen_domain domain:lnk_file { getattr read };
allow sectoolm_t domain:dir { getattr ioctl lock open read search };
allow sectoolm_t domain:file { getattr ioctl lock open read };
allow sectoolm_t domain:lnk_file { getattr read };
allow sectoolm_t domain:process getattr;
allow session_bus_type domain:dir { getattr ioctl lock open read search };
allow session_bus_type domain:file { getattr ioctl lock open read };
allow session_bus_type domain:lnk_file { getattr read };
allow setfiles_domain domain:blk_file { getattr relabelfrom };
allow setfiles_domain domain:chr_file { getattr relabelfrom };
allow setfiles_domain domain:dir { getattr ioctl lock open read relabelfrom search };
allow setfiles_domain domain:fifo_file { getattr relabelfrom };
allow setfiles_domain domain:file { getattr ioctl lock open read relabelfrom };
allow setfiles_domain domain:lnk_file { getattr read relabelfrom };
allow setfiles_domain domain:sock_file { getattr relabelfrom };
allow setkey_t domain:association setcontext;
allow setrans_t domain:dir { getattr ioctl lock open read search };
allow setrans_t domain:file { getattr ioctl lock open read };
allow setrans_t domain:lnk_file { getattr read };
allow setrans_t domain:process { getattr getsession };
allow setroubleshootd_t domain:dir { getattr ioctl lock open read search };
allow setroubleshootd_t domain:file { getattr ioctl lock open read };
allow setroubleshootd_t domain:lnk_file { getattr read };
allow setroubleshootd_t domain:process signull;
allow shorewall_t domain:dir { getattr ioctl lock open read search };
allow shorewall_t domain:file { getattr ioctl lock open read };
allow shorewall_t domain:lnk_file { getattr read };
allow snapperd_t domain:dir { getattr ioctl lock open read search };
allow snapperd_t domain:file { getattr ioctl lock open read };
allow snapperd_t domain:lnk_file { getattr read };
allow snmpd_t domain:dir { getattr ioctl lock open read search };
allow snmpd_t domain:file { getattr ioctl lock open read };
allow snmpd_t domain:lnk_file { getattr read };
allow snmpd_t domain:process signull;
allow spamd_update_t domain:dir { getattr ioctl lock open read search };
allow spamd_update_t domain:file { getattr ioctl lock open read };
allow spamd_update_t domain:lnk_file { getattr read };
allow spc_t domain:process { ptrace transition };
allow sshd_t svirt_sandbox_domain:process { getattr sigchld signal signull sigstop transition };
allow sshd_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow sshd_t svirt_sandbox_domain:unix_stream_socket connectto;
allow sssd_t domain:dir { getattr ioctl lock open read search };
allow sssd_t domain:file { getattr ioctl lock open read };
allow sssd_t domain:lnk_file { getattr read };
allow staff_t container_domain:process { sigchld sigkill signal signull sigstop };
allow staff_t domain:dir { getattr ioctl lock open read search };
allow staff_t domain:file { getattr ioctl lock open read };
allow staff_t domain:lnk_file { getattr read };
allow staff_t domain:process { getattr getcap getsched };
allow stalld_t domain:dir { getattr ioctl lock open read search };
allow stalld_t domain:file { getattr ioctl lock open read };
allow stalld_t domain:lnk_file { getattr read };
allow stalld_t domain:process { getsched setsched };
allow stapserver_t domain:dir { getattr ioctl lock open read search };
allow stapserver_t domain:file { getattr ioctl lock open read };
allow stapserver_t domain:lnk_file { getattr read };
allow sysadm_t domain:alg_socket getattr;
allow sysadm_t domain:appletalk_socket getattr;
allow sysadm_t domain:atmpvc_socket getattr;
allow sysadm_t domain:atmsvc_socket getattr;
allow sysadm_t domain:ax25_socket getattr;
allow sysadm_t domain:bluetooth_socket getattr;
allow sysadm_t domain:caif_socket getattr;
allow sysadm_t domain:can_socket getattr;
allow sysadm_t domain:dccp_socket getattr;
allow sysadm_t domain:decnet_socket getattr;
allow sysadm_t domain:dir { getattr ioctl lock open read search };
allow sysadm_t domain:file { getattr ioctl lock open read };
allow sysadm_t domain:icmp_socket getattr;
allow sysadm_t domain:ieee802154_socket getattr;
allow sysadm_t domain:ipx_socket getattr;
allow sysadm_t domain:irda_socket getattr;
allow sysadm_t domain:isdn_socket getattr;
allow sysadm_t domain:iucv_socket getattr;
allow sysadm_t domain:kcm_socket getattr;
allow sysadm_t domain:key { read view };
allow sysadm_t domain:llc_socket getattr;
allow sysadm_t domain:lnk_file { getattr read };
allow sysadm_t domain:mctp_socket getattr;
allow sysadm_t domain:netlink_audit_socket getattr;
allow sysadm_t domain:netlink_connector_socket getattr;
allow sysadm_t domain:netlink_crypto_socket getattr;
allow sysadm_t domain:netlink_dnrt_socket getattr;
allow sysadm_t domain:netlink_fib_lookup_socket getattr;
allow sysadm_t domain:netlink_firewall_socket getattr;
allow sysadm_t domain:netlink_generic_socket getattr;
allow sysadm_t domain:netlink_ip6fw_socket getattr;
allow sysadm_t domain:netlink_iscsi_socket getattr;
allow sysadm_t domain:netlink_kobject_uevent_socket getattr;
allow sysadm_t domain:netlink_netfilter_socket getattr;
allow sysadm_t domain:netlink_nflog_socket getattr;
allow sysadm_t domain:netlink_rdma_socket getattr;
allow sysadm_t domain:netlink_route_socket getattr;
allow sysadm_t domain:netlink_scsitransport_socket getattr;
allow sysadm_t domain:netlink_selinux_socket getattr;
allow sysadm_t domain:netlink_socket getattr;
allow sysadm_t domain:netlink_tcpdiag_socket getattr;
allow sysadm_t domain:netlink_xfrm_socket getattr;
allow sysadm_t domain:netrom_socket getattr;
allow sysadm_t domain:nfc_socket getattr;
allow sysadm_t domain:packet_socket getattr;
allow sysadm_t domain:phonet_socket getattr;
allow sysadm_t domain:pppox_socket getattr;
allow sysadm_t domain:process ptrace; [ deny_ptrace ]:False
allow sysadm_t domain:process { getattr getcap setsched sigchld sigkill signal signull sigstop };
allow sysadm_t domain:qipcrtr_socket getattr;
allow sysadm_t domain:rawip_socket getattr;
allow sysadm_t domain:rds_socket getattr;
allow sysadm_t domain:rose_socket getattr;
allow sysadm_t domain:rxrpc_socket getattr;
allow sysadm_t domain:sctp_socket getattr;
allow sysadm_t domain:smc_socket getattr;
allow sysadm_t domain:tcp_socket getattr;
allow sysadm_t domain:tipc_socket getattr;
allow sysadm_t domain:tun_socket getattr;
allow sysadm_t domain:udp_socket getattr;
allow sysadm_t domain:unix_dgram_socket getattr;
allow sysadm_t domain:unix_stream_socket getattr;
allow sysadm_t domain:vsock_socket getattr;
allow sysadm_t domain:x25_socket getattr;
allow sysadm_t domain:xdp_socket getattr;
allow sysadm_t svirt_sandbox_domain:process transition;
allow sysadm_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow syslogd_t domain:dir { getattr ioctl lock open read search };
allow syslogd_t domain:file { getattr ioctl lock open read };
allow syslogd_t domain:lnk_file { getattr read };
allow syslogd_t domain:process { getattr signull };
allow system_dbusd_t domain:dir { getattr ioctl lock open read search };
allow system_dbusd_t domain:file { getattr ioctl lock open read };
allow system_dbusd_t domain:lnk_file { getattr read };
allow system_munin_plugin_t domain:dir { getattr ioctl lock open read search };
allow system_munin_plugin_t domain:file { getattr ioctl lock open read };
allow system_munin_plugin_t domain:lnk_file { getattr read };
allow systemd_bootchart_t domain:dir { getattr ioctl lock open read search };
allow systemd_bootchart_t domain:file { getattr ioctl lock open read };
allow systemd_bootchart_t domain:lnk_file { getattr read };
allow systemd_coredump_t domain:dir { getattr ioctl lock open read search };
allow systemd_coredump_t domain:file { getattr ioctl lock open read };
allow systemd_coredump_t domain:lnk_file { getattr read };
allow systemd_homework_t domain:key { create read setattr view write };
allow systemd_logind_t container_domain:dbus send_msg;
allow systemd_logind_t container_domain:process getattr;
allow systemd_logind_t domain:dir { getattr ioctl lock open read search };
allow systemd_logind_t domain:file { getattr ioctl lock open read };
allow systemd_logind_t domain:lnk_file { getattr read };
allow systemd_logind_t domain:process { sigkill signal signull };
allow systemd_logind_t domain:sem destroy;
allow systemd_logind_t sandbox_net_domain:dbus send_msg;
allow systemd_logind_t sandbox_net_domain:process getattr;
allow systemd_machined_t domain:process { signal signull };
allow systemd_machined_t svirt_sandbox_domain:dir { getattr ioctl lock open read search };
allow systemd_machined_t svirt_sandbox_domain:file { getattr ioctl lock open read };
allow systemd_machined_t svirt_sandbox_domain:lnk_file { getattr read };
allow systemd_machined_t svirt_sandbox_domain:process getattr;
allow systemd_machined_t svirt_sandbox_domain:unix_stream_socket connectto;
allow systemd_passwd_agent_t domain:dir { getattr ioctl lock open read search };
allow systemd_passwd_agent_t domain:file { getattr ioctl lock open read };
allow systemd_passwd_agent_t domain:lnk_file { getattr read };
allow systemd_resolved_t domain:dbus send_msg;
allow systemd_resolved_t domain:dir { getattr ioctl lock open read search };
allow systemd_resolved_t domain:file { getattr ioctl lock open read };
allow systemd_resolved_t domain:lnk_file { getattr read };
allow systemd_resolved_t domain:process getattr;
allow tmpreaper_t domain:alg_socket getattr;
allow tmpreaper_t domain:appletalk_socket getattr;
allow tmpreaper_t domain:atmpvc_socket getattr;
allow tmpreaper_t domain:atmsvc_socket getattr;
allow tmpreaper_t domain:ax25_socket getattr;
allow tmpreaper_t domain:bluetooth_socket getattr;
allow tmpreaper_t domain:caif_socket getattr;
allow tmpreaper_t domain:can_socket getattr;
allow tmpreaper_t domain:dccp_socket getattr;
allow tmpreaper_t domain:decnet_socket getattr;
allow tmpreaper_t domain:dir { getattr ioctl lock open read search };
allow tmpreaper_t domain:fifo_file getattr;
allow tmpreaper_t domain:file { getattr ioctl lock open read };
allow tmpreaper_t domain:icmp_socket getattr;
allow tmpreaper_t domain:ieee802154_socket getattr;
allow tmpreaper_t domain:ipx_socket getattr;
allow tmpreaper_t domain:irda_socket getattr;
allow tmpreaper_t domain:isdn_socket getattr;
allow tmpreaper_t domain:iucv_socket getattr;
allow tmpreaper_t domain:kcm_socket getattr;
allow tmpreaper_t domain:llc_socket getattr;
allow tmpreaper_t domain:lnk_file { getattr read };
allow tmpreaper_t domain:mctp_socket getattr;
allow tmpreaper_t domain:netlink_audit_socket getattr;
allow tmpreaper_t domain:netlink_connector_socket getattr;
allow tmpreaper_t domain:netlink_crypto_socket getattr;
allow tmpreaper_t domain:netlink_dnrt_socket getattr;
allow tmpreaper_t domain:netlink_fib_lookup_socket getattr;
allow tmpreaper_t domain:netlink_firewall_socket getattr;
allow tmpreaper_t domain:netlink_generic_socket getattr;
allow tmpreaper_t domain:netlink_ip6fw_socket getattr;
allow tmpreaper_t domain:netlink_iscsi_socket getattr;
allow tmpreaper_t domain:netlink_kobject_uevent_socket getattr;
allow tmpreaper_t domain:netlink_netfilter_socket getattr;
allow tmpreaper_t domain:netlink_nflog_socket getattr;
allow tmpreaper_t domain:netlink_rdma_socket getattr;
allow tmpreaper_t domain:netlink_route_socket getattr;
allow tmpreaper_t domain:netlink_scsitransport_socket getattr;
allow tmpreaper_t domain:netlink_selinux_socket getattr;
allow tmpreaper_t domain:netlink_socket getattr;
allow tmpreaper_t domain:netlink_tcpdiag_socket getattr;
allow tmpreaper_t domain:netlink_xfrm_socket getattr;
allow tmpreaper_t domain:netrom_socket getattr;
allow tmpreaper_t domain:nfc_socket getattr;
allow tmpreaper_t domain:packet_socket getattr;
allow tmpreaper_t domain:phonet_socket getattr;
allow tmpreaper_t domain:pppox_socket getattr;
allow tmpreaper_t domain:qipcrtr_socket getattr;
allow tmpreaper_t domain:rawip_socket getattr;
allow tmpreaper_t domain:rds_socket getattr;
allow tmpreaper_t domain:rose_socket getattr;
allow tmpreaper_t domain:rxrpc_socket getattr;
allow tmpreaper_t domain:sctp_socket getattr;
allow tmpreaper_t domain:smc_socket getattr;
allow tmpreaper_t domain:tcp_socket getattr;
allow tmpreaper_t domain:tipc_socket getattr;
allow tmpreaper_t domain:tun_socket getattr;
allow tmpreaper_t domain:udp_socket getattr;
allow tmpreaper_t domain:unix_dgram_socket getattr;
allow tmpreaper_t domain:unix_stream_socket getattr;
allow tmpreaper_t domain:vsock_socket getattr;
allow tmpreaper_t domain:x25_socket getattr;
allow tmpreaper_t domain:xdp_socket getattr;
allow unconfined_domain_type container_domain:process { dyntransition transition };
allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition };
allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:appletalk_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:association recvfrom;
allow unconfined_domain_type domain:atmpvc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:atmsvc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:ax25_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:bluetooth_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
allow unconfined_domain_type domain:caif_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:can_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:dccp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind name_connect node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:decnet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:dir { getattr ioctl lock open read search watch };
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file { append getattr ioctl lock open read write };
allow unconfined_domain_type domain:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow unconfined_domain_type domain:icmp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:ieee802154_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:io_uring { cmd override_creds };
allow unconfined_domain_type domain:ipx_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:irda_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:isdn_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:iucv_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:kcm_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:key { create read setattr view write };
allow unconfined_domain_type domain:key_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:llc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:lnk_file { getattr ioctl lock read };
allow unconfined_domain_type domain:mctp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:msg { receive send };
allow unconfined_domain_type domain:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow unconfined_domain_type domain:netlink_audit_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_connector_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_generic_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_route_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netrom_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:nfc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:packet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:peer recv;
allow unconfined_domain_type domain:perf_event { read write };
allow unconfined_domain_type domain:phonet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:pppox_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop };
allow unconfined_domain_type domain:qipcrtr_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rds_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rose_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rxrpc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:sctp_socket { accept append association bind connect create getattr getopt ioctl listen lock map name_bind name_connect node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow unconfined_domain_type domain:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow unconfined_domain_type domain:smc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
allow unconfined_domain_type domain:tcp_socket { accept acceptfrom append bind connect connectto create getattr getopt ioctl listen lock map name_bind name_connect newconn node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:tipc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:udp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:unix_dgram_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:unix_stream_socket { accept acceptfrom append bind connect connectto create getattr getopt ioctl listen lock map name_bind newconn read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:vsock_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:x25_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:xdp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_t domain:process dyntransition; [ unconfined_dyntrans_all ]:True
allow unconfined_t domain:process transition;
allow useradd_t domain:dir { getattr ioctl lock open read search };
allow useradd_t domain:file { getattr ioctl lock open read };
allow useradd_t domain:lnk_file { getattr read };
allow userdomain container_domain:process transition;
allow virsh_t svirt_sandbox_domain:dir { getattr ioctl lock open read search };
allow virsh_t svirt_sandbox_domain:file { getattr ioctl lock open read };
allow virsh_t svirt_sandbox_domain:lnk_file { getattr read };
allow virsh_t svirt_sandbox_domain:process { getattr sigchld sigkill signal signull sigstop transition };
allow virsh_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow virtd_lxc_t svirt_sandbox_domain:process transition;
allow virtd_t svirt_sandbox_domain:process transition;
allow vmtools_unconfined_t domain:dbus send_msg;
allow watchdog_t domain:process { getsession sigchld sigkill signal signull sigstop };
allow zabbix_agent_t domain:dir { getattr ioctl lock open read search };
allow zabbix_agent_t domain:file { getattr ioctl lock open read };
allow zabbix_agent_t domain:lnk_file { getattr read };
allow zoneminder_t domain:dir { getattr ioctl lock open read search };
allow zoneminder_t domain:file { getattr ioctl lock open read };
allow zoneminder_t domain:lnk_file { getattr read };
[-- Attachment #5: container_t.rules --]
[-- Type: text/plain, Size: 75298 bytes --]
$ sesearch -A -t container_t
allow NetworkManager_dispatcher_dnssec_t domain:dir { getattr ioctl lock open read search };
allow NetworkManager_dispatcher_dnssec_t domain:file { getattr ioctl lock open read };
allow NetworkManager_dispatcher_dnssec_t domain:lnk_file { getattr read };
allow NetworkManager_t domain:dir { getattr ioctl lock open read search };
allow NetworkManager_t domain:file { getattr ioctl lock open read };
allow NetworkManager_t domain:lnk_file { getattr read };
allow abrt_dump_oops_t domain:dir { getattr ioctl lock open read search };
allow abrt_dump_oops_t domain:file { getattr ioctl lock open read };
allow abrt_dump_oops_t domain:lnk_file { getattr read };
allow abrt_dump_oops_t domain:process ptrace; [ deny_ptrace ]:False
allow abrt_dump_oops_t domain:process { getattr signull };
allow abrt_helper_t domain:dir { getattr ioctl lock open read search };
allow abrt_helper_t domain:fd use;
allow abrt_helper_t domain:fifo_file { append getattr ioctl lock read write };
allow abrt_helper_t domain:file { getattr ioctl lock open read };
allow abrt_helper_t domain:lnk_file { getattr read };
allow abrt_helper_t domain:process sigchld;
allow abrt_t domain:dir { getattr ioctl lock open read search };
allow abrt_t domain:file { getattr ioctl lock open read write };
allow abrt_t domain:lnk_file { getattr read };
allow abrt_t domain:process { getattr setrlimit signull };
allow antivirus_domain domain:dir { getattr ioctl lock open read search };
allow antivirus_domain domain:file { getattr ioctl lock open read };
allow antivirus_domain domain:lnk_file { getattr read };
allow apcupsd_t domain:process signull;
allow apmd_t domain:dir { getattr ioctl lock open read search };
allow apmd_t domain:file { getattr ioctl lock open read };
allow apmd_t domain:lnk_file { getattr read };
allow auditadm_t domain:process sigkill;
allow auditctl_t domain:dir { getattr ioctl lock open read search };
allow auditctl_t domain:file { getattr ioctl lock open read };
allow auditctl_t domain:lnk_file { getattr read };
allow auditd_t domain:dir { getattr ioctl lock open read search };
allow auditd_t domain:file { getattr ioctl lock open read };
allow auditd_t domain:lnk_file { getattr read };
allow bluetooth_helper_t domain:dir { getattr ioctl lock open read search };
allow bluetooth_helper_t domain:file { getattr ioctl lock open read };
allow bluetooth_helper_t domain:lnk_file { getattr read };
allow boinc_domain domain:dir { getattr ioctl lock open read search };
allow boinc_domain domain:file { getattr ioctl lock open read };
allow boinc_domain domain:lnk_file { getattr read };
allow boltd_t domain:dir { getattr ioctl lock open read search };
allow boltd_t domain:file { getattr ioctl lock open read };
allow boltd_t domain:lnk_file { getattr read };
allow cardmgr_t pcmcia_typeattr_1:dir { getattr ioctl lock open read search };
allow cardmgr_t pcmcia_typeattr_1:file { getattr ioctl lock open read };
allow cardmgr_t pcmcia_typeattr_1:lnk_file { getattr read };
allow cardmgr_t pcmcia_typeattr_1:process getattr;
allow cfengine_execd_t domain:dir { getattr ioctl lock open read search };
allow cfengine_execd_t domain:file { getattr ioctl lock open read };
allow cfengine_execd_t domain:lnk_file { getattr read };
allow cfengine_monitord_t domain:dir { getattr ioctl lock open read search };
allow cfengine_monitord_t domain:file { getattr ioctl lock open read };
allow cfengine_monitord_t domain:lnk_file { getattr read };
allow cgclear_t domain:process setsched;
allow cgred_t domain:dir { getattr ioctl lock open read search };
allow cgred_t domain:file { getattr ioctl lock open read };
allow cgred_t domain:lnk_file { getattr read };
allow cgred_t domain:process setsched;
allow collectd_t domain:dir { getattr ioctl lock open read search };
allow collectd_t domain:file { getattr ioctl lock open read };
allow collectd_t domain:lnk_file { getattr read };
allow condor_master_t domain:dir { getattr ioctl lock open read search };
allow condor_master_t domain:file { getattr ioctl lock open read };
allow condor_master_t domain:lnk_file { getattr read };
allow condor_procd_t domain:dir { getattr ioctl lock open read search };
allow condor_procd_t domain:file { getattr ioctl lock open read };
allow condor_procd_t domain:lnk_file { getattr read };
allow consolekit_t domain:dir { getattr ioctl lock open read search };
allow consolekit_t domain:file { getattr ioctl lock open read };
allow consolekit_t domain:lnk_file { getattr read };
allow container_runtime_domain container_domain:file relabelfrom;
allow container_t container_t:alg_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:appletalk_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:association sendto;
allow container_t container_t:atmpvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:atmsvc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ax25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:bluetooth_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:caif_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:can_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_control fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:cap_userns { audit_write chown dac_override dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_chroot };
allow container_t container_t:capability sys_admin; [ virt_sandbox_use_sys_admin ]:True
allow container_t container_t:capability { audit_control dac_override fsetid ipc_lock ipc_owner lease linux_immutable net_broadcast sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:capability { audit_write chown dac_read_search fowner kill mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
allow container_t container_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm }; [ virt_sandbox_use_all_caps ]:True
allow container_t container_t:dccp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:decnet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:dir { getattr ioctl lock open read search watch };
allow container_t container_t:fifo_file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow container_t container_t:file { append getattr ioctl lock open read write };
allow container_t container_t:filesystem associate;
allow container_t container_t:icmp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ieee802154_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:ipx_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:irda_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:isdn_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:iucv_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:kcm_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:key { create read setattr view write };
allow container_t container_t:llc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:lnk_file { getattr ioctl lock open read setattr };
allow container_t container_t:mctp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:msg { receive send };
allow container_t container_t:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow container_t container_t:netlink_audit_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_audit_socket { nlmsg_read nlmsg_relay nlmsg_tty_audit }; [ virt_sandbox_use_audit ]:True
allow container_t container_t:netlink_connector_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_generic_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_route_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; [ virt_sandbox_use_netlink ]:True
allow container_t container_t:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl lock map nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow container_t container_t:netrom_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:nfc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:packet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:passwd rootok;
allow container_t container_t:peer recv;
allow container_t container_t:phonet_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:pppox_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process ptrace; [ deny_ptrace ]:False
allow container_t container_t:process { execmem execstack fork getattr getcap getpgid getrlimit getsched getsession setcap setexec setfscreate setpgid setrlimit setsched sigchld sigkill signal signull sigstop };
allow container_t container_t:qipcrtr_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:rds_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rose_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:rxrpc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:sctp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow container_t container_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow container_t container_t:smc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow container_t container_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock map read setattr setopt shutdown write };
allow container_t container_t:tipc_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl lock map read relabelfrom relabelto setattr setopt shutdown write };
allow container_t container_t:udp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:unix_dgram_socket { accept append bind connect create getattr getopt ioctl lock map read sendto setattr setopt shutdown write };
allow container_t container_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock map read sendto setattr setopt shutdown write };
allow container_t container_t:user_namespace create;
allow container_t container_t:vsock_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:x25_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_t container_t:xdp_socket { accept append bind connect create getattr getopt ioctl lock map read setattr setopt shutdown write };
allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };
allow cpuspeed_t domain:dir { getattr ioctl lock open read search };
allow cpuspeed_t domain:file { getattr ioctl lock open read };
allow cpuspeed_t domain:lnk_file { getattr read };
allow cupsd_t domain:dir { getattr ioctl lock open read search };
allow cupsd_t domain:file { getattr ioctl lock open read };
allow cupsd_t domain:lnk_file { getattr read };
allow devicekit_power_t domain:dbus send_msg;
allow dnssec_trigger_t domain:dir { getattr ioctl lock open read search };
allow dnssec_trigger_t domain:file { getattr ioctl lock open read };
allow dnssec_trigger_t domain:lnk_file { getattr read };
allow domain domain:fd use; [ domain_fd_use ]:True
allow domain domain:key { link search };
allow fsdaemon_t domain:process signull;
allow glusterd_t domain:alg_socket getattr;
allow glusterd_t domain:appletalk_socket getattr;
allow glusterd_t domain:atmpvc_socket getattr;
allow glusterd_t domain:atmsvc_socket getattr;
allow glusterd_t domain:ax25_socket getattr;
allow glusterd_t domain:bluetooth_socket getattr;
allow glusterd_t domain:caif_socket getattr;
allow glusterd_t domain:can_socket getattr;
allow glusterd_t domain:dccp_socket getattr;
allow glusterd_t domain:decnet_socket getattr;
allow glusterd_t domain:dir { getattr ioctl lock open read search };
allow glusterd_t domain:file { getattr ioctl lock open read };
allow glusterd_t domain:icmp_socket getattr;
allow glusterd_t domain:ieee802154_socket getattr;
allow glusterd_t domain:ipx_socket getattr;
allow glusterd_t domain:irda_socket getattr;
allow glusterd_t domain:isdn_socket getattr;
allow glusterd_t domain:iucv_socket getattr;
allow glusterd_t domain:kcm_socket getattr;
allow glusterd_t domain:llc_socket getattr;
allow glusterd_t domain:lnk_file { getattr read };
allow glusterd_t domain:mctp_socket getattr;
allow glusterd_t domain:netlink_audit_socket getattr;
allow glusterd_t domain:netlink_connector_socket getattr;
allow glusterd_t domain:netlink_crypto_socket getattr;
allow glusterd_t domain:netlink_dnrt_socket getattr;
allow glusterd_t domain:netlink_fib_lookup_socket getattr;
allow glusterd_t domain:netlink_firewall_socket getattr;
allow glusterd_t domain:netlink_generic_socket getattr;
allow glusterd_t domain:netlink_ip6fw_socket getattr;
allow glusterd_t domain:netlink_iscsi_socket getattr;
allow glusterd_t domain:netlink_kobject_uevent_socket getattr;
allow glusterd_t domain:netlink_netfilter_socket getattr;
allow glusterd_t domain:netlink_nflog_socket getattr;
allow glusterd_t domain:netlink_rdma_socket getattr;
allow glusterd_t domain:netlink_route_socket getattr;
allow glusterd_t domain:netlink_scsitransport_socket getattr;
allow glusterd_t domain:netlink_selinux_socket getattr;
allow glusterd_t domain:netlink_socket getattr;
allow glusterd_t domain:netlink_tcpdiag_socket getattr;
allow glusterd_t domain:netlink_xfrm_socket getattr;
allow glusterd_t domain:netrom_socket getattr;
allow glusterd_t domain:nfc_socket getattr;
allow glusterd_t domain:packet_socket getattr;
allow glusterd_t domain:phonet_socket getattr;
allow glusterd_t domain:pppox_socket getattr;
allow glusterd_t domain:qipcrtr_socket getattr;
allow glusterd_t domain:rawip_socket getattr;
allow glusterd_t domain:rds_socket getattr;
allow glusterd_t domain:rose_socket getattr;
allow glusterd_t domain:rxrpc_socket getattr;
allow glusterd_t domain:sctp_socket getattr;
allow glusterd_t domain:smc_socket getattr;
allow glusterd_t domain:tcp_socket getattr;
allow glusterd_t domain:tipc_socket getattr;
allow glusterd_t domain:tun_socket getattr;
allow glusterd_t domain:udp_socket getattr;
allow glusterd_t domain:unix_dgram_socket getattr;
allow glusterd_t domain:unix_stream_socket getattr;
allow glusterd_t domain:vsock_socket getattr;
allow glusterd_t domain:x25_socket getattr;
allow glusterd_t domain:xdp_socket getattr;
allow gnomesystemmm_t domain:dir { getattr open search };
allow gnomesystemmm_t domain:process { setsched sigkill signal sigstop };
allow gssd_t domain:key { create read setattr view write };
allow gssproxy_t domain:dir { getattr ioctl lock open read search };
allow gssproxy_t domain:file { getattr ioctl lock open read };
allow gssproxy_t domain:lnk_file { getattr read };
allow httpd_t domain:process getpgid; [ httpd_run_stickshift ]:True
allow hypervkvp_t domain:dir { getattr ioctl lock open read search };
allow hypervkvp_t domain:file { getattr ioctl lock open read };
allow hypervkvp_t domain:lnk_file { getattr read };
allow ifconfig_t domain:dir { getattr ioctl lock open read search };
allow ifconfig_t domain:file { getattr ioctl lock open read };
allow ifconfig_t domain:lnk_file { getattr read };
allow init_t domain:dir { getattr ioctl lock open read search };
allow init_t domain:file { getattr ioctl lock open read };
allow init_t domain:lnk_file { getattr read };
allow init_t domain:process { getattr getpgid noatsecure rlimitinh setrlimit setsched sigchld sigkill signal signull sigstop };
allow init_t svirt_sandbox_domain:process transition;
allow init_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow initrc_t svirt_sandbox_domain:process transition;
allow insights_core_t domain:alg_socket getattr;
allow insights_core_t domain:appletalk_socket getattr;
allow insights_core_t domain:atmpvc_socket getattr;
allow insights_core_t domain:atmsvc_socket getattr;
allow insights_core_t domain:ax25_socket getattr;
allow insights_core_t domain:bluetooth_socket getattr;
allow insights_core_t domain:caif_socket getattr;
allow insights_core_t domain:can_socket getattr;
allow insights_core_t domain:dccp_socket getattr;
allow insights_core_t domain:decnet_socket getattr;
allow insights_core_t domain:dir { getattr ioctl lock open read search };
allow insights_core_t domain:fifo_file getattr;
allow insights_core_t domain:file { getattr ioctl lock open read };
allow insights_core_t domain:icmp_socket getattr;
allow insights_core_t domain:ieee802154_socket getattr;
allow insights_core_t domain:ipx_socket getattr;
allow insights_core_t domain:irda_socket getattr;
allow insights_core_t domain:isdn_socket getattr;
allow insights_core_t domain:iucv_socket getattr;
allow insights_core_t domain:kcm_socket getattr;
allow insights_core_t domain:key { read view };
allow insights_core_t domain:llc_socket getattr;
allow insights_core_t domain:lnk_file { getattr read };
allow insights_core_t domain:mctp_socket getattr;
allow insights_core_t domain:netlink_audit_socket getattr;
allow insights_core_t domain:netlink_connector_socket getattr;
allow insights_core_t domain:netlink_crypto_socket getattr;
allow insights_core_t domain:netlink_dnrt_socket getattr;
allow insights_core_t domain:netlink_fib_lookup_socket getattr;
allow insights_core_t domain:netlink_firewall_socket getattr;
allow insights_core_t domain:netlink_generic_socket getattr;
allow insights_core_t domain:netlink_ip6fw_socket getattr;
allow insights_core_t domain:netlink_iscsi_socket getattr;
allow insights_core_t domain:netlink_kobject_uevent_socket getattr;
allow insights_core_t domain:netlink_netfilter_socket getattr;
allow insights_core_t domain:netlink_nflog_socket getattr;
allow insights_core_t domain:netlink_rdma_socket getattr;
allow insights_core_t domain:netlink_route_socket getattr;
allow insights_core_t domain:netlink_scsitransport_socket getattr;
allow insights_core_t domain:netlink_selinux_socket getattr;
allow insights_core_t domain:netlink_socket getattr;
allow insights_core_t domain:netlink_tcpdiag_socket getattr;
allow insights_core_t domain:netlink_xfrm_socket getattr;
allow insights_core_t domain:netrom_socket getattr;
allow insights_core_t domain:nfc_socket getattr;
allow insights_core_t domain:packet_socket getattr;
allow insights_core_t domain:phonet_socket getattr;
allow insights_core_t domain:pppox_socket getattr;
allow insights_core_t domain:process getattr;
allow insights_core_t domain:qipcrtr_socket getattr;
allow insights_core_t domain:rawip_socket getattr;
allow insights_core_t domain:rds_socket getattr;
allow insights_core_t domain:rose_socket getattr;
allow insights_core_t domain:rxrpc_socket getattr;
allow insights_core_t domain:sctp_socket getattr;
allow insights_core_t domain:smc_socket getattr;
allow insights_core_t domain:tcp_socket getattr;
allow insights_core_t domain:tipc_socket getattr;
allow insights_core_t domain:tun_socket getattr;
allow insights_core_t domain:udp_socket getattr;
allow insights_core_t domain:unix_dgram_socket getattr;
allow insights_core_t domain:unix_stream_socket { connectto getattr };
allow insights_core_t domain:vsock_socket getattr;
allow insights_core_t domain:x25_socket getattr;
allow insights_core_t domain:xdp_socket getattr;
allow iotop_t domain:dir { getattr ioctl lock open read search };
allow iotop_t domain:file { getattr ioctl lock open read };
allow iotop_t domain:lnk_file { getattr read };
allow iotop_t domain:process getsched;
allow iscsid_t domain:dir { getattr ioctl lock open read search };
allow iscsid_t domain:file { getattr ioctl lock open read };
allow iscsid_t domain:lnk_file { getattr read };
allow keepalived_t domain:dir { getattr ioctl lock open read search };
allow keepalived_t domain:file { getattr ioctl lock open read };
allow keepalived_t domain:lnk_file { getattr read };
allow keepalived_t domain:process getattr;
allow kernel_t domain:alg_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:appletalk_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:atmpvc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:atmsvc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ax25_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:bluetooth_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:caif_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:can_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:dccp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:decnet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:dir { getattr open search };
allow kernel_t domain:fd use;
allow kernel_t domain:icmp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ieee802154_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:ipx_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:irda_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:isdn_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:iucv_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:kcm_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:llc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:mctp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_audit_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_connector_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_crypto_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_dnrt_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_fib_lookup_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_firewall_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_generic_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_ip6fw_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_iscsi_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_kobject_uevent_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_netfilter_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_nflog_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_rdma_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_route_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_scsitransport_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_selinux_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_tcpdiag_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netlink_xfrm_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:netrom_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:nfc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:packet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:phonet_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:pppox_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:process signal;
allow kernel_t domain:qipcrtr_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rawip_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rds_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rose_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:rxrpc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:sctp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:smc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tcp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tipc_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:tun_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:udp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:unix_dgram_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:unix_stream_socket { accept append bind connect connectto getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:vsock_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:x25_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow kernel_t domain:xdp_socket { accept append bind connect getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow keyutils_request_t domain:key { create read setattr view write };
allow ksmtuned_t domain:dir { getattr ioctl lock open read search };
allow ksmtuned_t domain:file { getattr ioctl lock open read };
allow ksmtuned_t domain:lnk_file { getattr read };
allow ktlshd_t domain:key { read view };
allow login_pgm domain:dir { getattr ioctl lock open read search };
allow login_pgm domain:file { getattr ioctl lock open read };
allow login_pgm domain:lnk_file { getattr read };
allow login_pgm domain:process sigkill;
allow logrotate_t domain:dir { getattr ioctl lock open read search };
allow logrotate_t domain:file { getattr ioctl lock open read };
allow logrotate_t domain:lnk_file { getattr read };
allow logrotate_t domain:process signal;
allow logwatch_t domain:dir { getattr ioctl lock open read search };
allow logwatch_t domain:file { getattr ioctl lock open read };
allow logwatch_t domain:lnk_file { getattr read };
allow mdadm_t domain:dir { getattr ioctl lock open read search };
allow mdadm_t domain:file { getattr ioctl lock open read };
allow mdadm_t domain:lnk_file { getattr read };
allow mock_t domain:dir { getattr ioctl lock open read search };
allow mock_t domain:file { getattr ioctl lock open read };
allow mock_t domain:lnk_file { getattr read };
allow mon_statd_domain domain:dir { getattr ioctl lock open read search };
allow mon_statd_domain domain:file { getattr ioctl lock open read };
allow mon_statd_domain domain:lnk_file { getattr read };
allow munin_t domain:dir { getattr ioctl lock open read search };
allow munin_t domain:file { getattr ioctl lock open read };
allow munin_t domain:lnk_file { getattr read };
allow mysqld_safe_t domain:dir { getattr ioctl lock open read search };
allow mysqld_safe_t domain:file { getattr ioctl lock open read };
allow mysqld_safe_t domain:lnk_file { getattr read };
allow mysqld_t domain:dir { getattr ioctl lock open read search };
allow mysqld_t domain:file { getattr ioctl lock open read };
allow mysqld_t domain:lnk_file { getattr read };
allow nagios_openshift_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_openshift_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_openshift_plugin_t domain:lnk_file { getattr read };
allow nagios_services_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_services_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_services_plugin_t domain:lnk_file { getattr read };
allow nagios_system_plugin_t domain:dir { getattr ioctl lock open read search };
allow nagios_system_plugin_t domain:file { getattr ioctl lock open read };
allow nagios_system_plugin_t domain:lnk_file { getattr read };
allow nagios_t domain:dir { getattr ioctl lock open read search };
allow nagios_t domain:file { getattr ioctl lock open read };
allow nagios_t domain:lnk_file { getattr read };
allow ncftool_t domain:dir { getattr ioctl lock open read search };
allow ncftool_t domain:file { getattr ioctl lock open read };
allow ncftool_t domain:lnk_file { getattr read };
allow neutron_t domain:dir { getattr ioctl lock open read search };
allow neutron_t domain:file { getattr ioctl lock open read };
allow neutron_t domain:lnk_file { getattr read };
allow nrpe_t domain:dir { getattr ioctl lock open read search };
allow nrpe_t domain:file { getattr ioctl lock open read };
allow nrpe_t domain:lnk_file { getattr read };
allow nscd_t domain:dir { getattr open search };
allow numad_t domain:dir { getattr ioctl lock open read search };
allow numad_t domain:file { getattr ioctl lock open read };
allow numad_t domain:lnk_file { getattr read };
allow numad_t domain:process { setsched signull };
allow passenger_t domain:dir { getattr ioctl lock open read search };
allow passenger_t domain:file { getattr ioctl lock open read };
allow passenger_t domain:lnk_file { getattr read };
allow pcp_pmcd_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmcd_t domain:file { getattr ioctl lock open read };
allow pcp_pmcd_t domain:lnk_file { getattr read };
allow pcp_pmcd_t domain:process getattr;
allow pcp_pmie_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmie_t domain:file { getattr ioctl lock open read };
allow pcp_pmie_t domain:lnk_file { getattr read };
allow pcp_pmlogger_t domain:dir { getattr ioctl lock open read search };
allow pcp_pmlogger_t domain:file { getattr ioctl lock open read };
allow pcp_pmlogger_t domain:lnk_file { getattr read };
allow pcscd_t domain:dir { getattr ioctl lock open read search };
allow pcscd_t domain:file { getattr ioctl lock open read };
allow pcscd_t domain:lnk_file { getattr read };
allow pegasus_t domain:dir { getattr ioctl lock open read search };
allow pegasus_t domain:file { getattr ioctl lock open read };
allow pegasus_t domain:lnk_file { getattr read };
allow policykit_t domain:dir { getattr ioctl lock open read search };
allow policykit_t domain:file { getattr ioctl lock open read };
allow policykit_t domain:lnk_file { getattr read };
allow psad_t domain:dir { getattr ioctl lock open read search };
allow psad_t domain:file { getattr ioctl lock open read };
allow psad_t domain:lnk_file { getattr read };
allow puppetmaster_t domain:dir { getattr ioctl lock open read search };
allow puppetmaster_t domain:file { getattr ioctl lock open read };
allow puppetmaster_t domain:lnk_file { getattr read };
allow rabbitmq_t domain:dir { getattr ioctl lock open read search };
allow rabbitmq_t domain:file { getattr ioctl lock open read };
allow rabbitmq_t domain:lnk_file { getattr read };
allow racoon_t domain:association setcontext;
allow readahead_t domain:dir { getattr ioctl lock open read search };
allow readahead_t domain:file { getattr ioctl lock open read };
allow readahead_t domain:lnk_file { getattr read };
allow rhcd_t domain:alg_socket getattr;
allow rhcd_t domain:appletalk_socket getattr;
allow rhcd_t domain:atmpvc_socket getattr;
allow rhcd_t domain:atmsvc_socket getattr;
allow rhcd_t domain:ax25_socket getattr;
allow rhcd_t domain:bluetooth_socket getattr;
allow rhcd_t domain:caif_socket getattr;
allow rhcd_t domain:can_socket getattr;
allow rhcd_t domain:dccp_socket getattr;
allow rhcd_t domain:decnet_socket getattr;
allow rhcd_t domain:dir { getattr ioctl lock open read search };
allow rhcd_t domain:fifo_file getattr;
allow rhcd_t domain:file { getattr ioctl lock open read };
allow rhcd_t domain:icmp_socket getattr;
allow rhcd_t domain:ieee802154_socket getattr;
allow rhcd_t domain:ipx_socket getattr;
allow rhcd_t domain:irda_socket getattr;
allow rhcd_t domain:isdn_socket getattr;
allow rhcd_t domain:iucv_socket getattr;
allow rhcd_t domain:kcm_socket getattr;
allow rhcd_t domain:llc_socket getattr;
allow rhcd_t domain:lnk_file { getattr read };
allow rhcd_t domain:mctp_socket getattr;
allow rhcd_t domain:netlink_audit_socket getattr;
allow rhcd_t domain:netlink_connector_socket getattr;
allow rhcd_t domain:netlink_crypto_socket getattr;
allow rhcd_t domain:netlink_dnrt_socket getattr;
allow rhcd_t domain:netlink_fib_lookup_socket getattr;
allow rhcd_t domain:netlink_firewall_socket getattr;
allow rhcd_t domain:netlink_generic_socket getattr;
allow rhcd_t domain:netlink_ip6fw_socket getattr;
allow rhcd_t domain:netlink_iscsi_socket getattr;
allow rhcd_t domain:netlink_kobject_uevent_socket getattr;
allow rhcd_t domain:netlink_netfilter_socket getattr;
allow rhcd_t domain:netlink_nflog_socket getattr;
allow rhcd_t domain:netlink_rdma_socket getattr;
allow rhcd_t domain:netlink_route_socket getattr;
allow rhcd_t domain:netlink_scsitransport_socket getattr;
allow rhcd_t domain:netlink_selinux_socket getattr;
allow rhcd_t domain:netlink_socket getattr;
allow rhcd_t domain:netlink_tcpdiag_socket getattr;
allow rhcd_t domain:netlink_xfrm_socket getattr;
allow rhcd_t domain:netrom_socket getattr;
allow rhcd_t domain:nfc_socket getattr;
allow rhcd_t domain:packet_socket getattr;
allow rhcd_t domain:phonet_socket getattr;
allow rhcd_t domain:pppox_socket getattr;
allow rhcd_t domain:qipcrtr_socket getattr;
allow rhcd_t domain:rawip_socket getattr;
allow rhcd_t domain:rds_socket getattr;
allow rhcd_t domain:rose_socket getattr;
allow rhcd_t domain:rxrpc_socket getattr;
allow rhcd_t domain:sctp_socket getattr;
allow rhcd_t domain:smc_socket getattr;
allow rhcd_t domain:tcp_socket getattr;
allow rhcd_t domain:tipc_socket getattr;
allow rhcd_t domain:tun_socket getattr;
allow rhcd_t domain:udp_socket getattr;
allow rhcd_t domain:unix_dgram_socket getattr;
allow rhcd_t domain:unix_stream_socket getattr;
allow rhcd_t domain:vsock_socket getattr;
allow rhcd_t domain:x25_socket getattr;
allow rhcd_t domain:xdp_socket getattr;
allow rhsmcertd_t domain:dir { getattr ioctl lock open read search };
allow rhsmcertd_t domain:file { getattr ioctl lock open read };
allow rhsmcertd_t domain:lnk_file { getattr read };
allow rhsmcertd_t domain:process signull;
allow ricci_modcluster_t domain:dir { getattr ioctl lock open read search };
allow ricci_modcluster_t domain:file { getattr ioctl lock open read };
allow ricci_modcluster_t domain:lnk_file { getattr read };
allow ricci_modclusterd_t domain:dir { getattr ioctl lock open read search };
allow ricci_modclusterd_t domain:file { getattr ioctl lock open read };
allow ricci_modclusterd_t domain:lnk_file { getattr read };
allow ricci_modlog_t domain:dir { getattr ioctl lock open read search };
allow ricci_modlog_t domain:file { getattr ioctl lock open read };
allow ricci_modlog_t domain:lnk_file { getattr read };
allow ricci_modstorage_t domain:dir { getattr ioctl lock open read search };
allow ricci_modstorage_t domain:file { getattr ioctl lock open read };
allow ricci_modstorage_t domain:lnk_file { getattr read };
allow ricci_t domain:dir { getattr ioctl lock open read search };
allow ricci_t domain:file { getattr ioctl lock open read };
allow ricci_t domain:lnk_file { getattr read };
allow rtkit_daemon_t domain:dir { getattr ioctl lock open read search };
allow rtkit_daemon_t domain:file { getattr ioctl lock open read };
allow rtkit_daemon_t domain:lnk_file { getattr read };
allow rtkit_daemon_t domain:process getsched;
allow sbd_t domain:dir { getattr ioctl lock open read search };
allow sbd_t domain:file { getattr ioctl lock open read };
allow sbd_t domain:lnk_file { getattr read };
allow sblim_gatherd_t domain:dir { getattr ioctl lock open read search };
allow sblim_gatherd_t domain:file { getattr ioctl lock open read };
allow sblim_gatherd_t domain:lnk_file { getattr read };
allow sblim_sfcbd_t domain:dir { getattr ioctl lock open read search };
allow sblim_sfcbd_t domain:file { getattr ioctl lock open read };
allow sblim_sfcbd_t domain:lnk_file { getattr read };
allow screen_domain domain:dir { getattr ioctl lock open read search };
allow screen_domain domain:file { getattr ioctl lock open read };
allow screen_domain domain:lnk_file { getattr read };
allow sectoolm_t domain:dir { getattr ioctl lock open read search };
allow sectoolm_t domain:file { getattr ioctl lock open read };
allow sectoolm_t domain:lnk_file { getattr read };
allow sectoolm_t domain:process getattr;
allow session_bus_type domain:dir { getattr ioctl lock open read search };
allow session_bus_type domain:file { getattr ioctl lock open read };
allow session_bus_type domain:lnk_file { getattr read };
allow setfiles_domain domain:blk_file { getattr relabelfrom };
allow setfiles_domain domain:chr_file { getattr relabelfrom };
allow setfiles_domain domain:dir { getattr ioctl lock open read relabelfrom search };
allow setfiles_domain domain:fifo_file { getattr relabelfrom };
allow setfiles_domain domain:file { getattr ioctl lock open read relabelfrom };
allow setfiles_domain domain:lnk_file { getattr read relabelfrom };
allow setfiles_domain domain:sock_file { getattr relabelfrom };
allow setkey_t domain:association setcontext;
allow setrans_t domain:dir { getattr ioctl lock open read search };
allow setrans_t domain:file { getattr ioctl lock open read };
allow setrans_t domain:lnk_file { getattr read };
allow setrans_t domain:process { getattr getsession };
allow setroubleshootd_t domain:dir { getattr ioctl lock open read search };
allow setroubleshootd_t domain:file { getattr ioctl lock open read };
allow setroubleshootd_t domain:lnk_file { getattr read };
allow setroubleshootd_t domain:process signull;
allow shorewall_t domain:dir { getattr ioctl lock open read search };
allow shorewall_t domain:file { getattr ioctl lock open read };
allow shorewall_t domain:lnk_file { getattr read };
allow snapperd_t domain:dir { getattr ioctl lock open read search };
allow snapperd_t domain:file { getattr ioctl lock open read };
allow snapperd_t domain:lnk_file { getattr read };
allow snmpd_t domain:dir { getattr ioctl lock open read search };
allow snmpd_t domain:file { getattr ioctl lock open read };
allow snmpd_t domain:lnk_file { getattr read };
allow snmpd_t domain:process signull;
allow spamd_update_t domain:dir { getattr ioctl lock open read search };
allow spamd_update_t domain:file { getattr ioctl lock open read };
allow spamd_update_t domain:lnk_file { getattr read };
allow spc_t domain:process { ptrace transition };
allow sshd_t svirt_sandbox_domain:process { getattr sigchld signal signull sigstop transition };
allow sshd_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow sshd_t svirt_sandbox_domain:unix_stream_socket connectto;
allow sssd_t domain:dir { getattr ioctl lock open read search };
allow sssd_t domain:file { getattr ioctl lock open read };
allow sssd_t domain:lnk_file { getattr read };
allow staff_t container_domain:process { sigchld sigkill signal signull sigstop };
allow staff_t domain:dir { getattr ioctl lock open read search };
allow staff_t domain:file { getattr ioctl lock open read };
allow staff_t domain:lnk_file { getattr read };
allow staff_t domain:process { getattr getcap getsched };
allow stalld_t domain:dir { getattr ioctl lock open read search };
allow stalld_t domain:file { getattr ioctl lock open read };
allow stalld_t domain:lnk_file { getattr read };
allow stalld_t domain:process { getsched setsched };
allow stapserver_t domain:dir { getattr ioctl lock open read search };
allow stapserver_t domain:file { getattr ioctl lock open read };
allow stapserver_t domain:lnk_file { getattr read };
allow sysadm_t domain:alg_socket getattr;
allow sysadm_t domain:appletalk_socket getattr;
allow sysadm_t domain:atmpvc_socket getattr;
allow sysadm_t domain:atmsvc_socket getattr;
allow sysadm_t domain:ax25_socket getattr;
allow sysadm_t domain:bluetooth_socket getattr;
allow sysadm_t domain:caif_socket getattr;
allow sysadm_t domain:can_socket getattr;
allow sysadm_t domain:dccp_socket getattr;
allow sysadm_t domain:decnet_socket getattr;
allow sysadm_t domain:dir { getattr ioctl lock open read search };
allow sysadm_t domain:file { getattr ioctl lock open read };
allow sysadm_t domain:icmp_socket getattr;
allow sysadm_t domain:ieee802154_socket getattr;
allow sysadm_t domain:ipx_socket getattr;
allow sysadm_t domain:irda_socket getattr;
allow sysadm_t domain:isdn_socket getattr;
allow sysadm_t domain:iucv_socket getattr;
allow sysadm_t domain:kcm_socket getattr;
allow sysadm_t domain:key { read view };
allow sysadm_t domain:llc_socket getattr;
allow sysadm_t domain:lnk_file { getattr read };
allow sysadm_t domain:mctp_socket getattr;
allow sysadm_t domain:netlink_audit_socket getattr;
allow sysadm_t domain:netlink_connector_socket getattr;
allow sysadm_t domain:netlink_crypto_socket getattr;
allow sysadm_t domain:netlink_dnrt_socket getattr;
allow sysadm_t domain:netlink_fib_lookup_socket getattr;
allow sysadm_t domain:netlink_firewall_socket getattr;
allow sysadm_t domain:netlink_generic_socket getattr;
allow sysadm_t domain:netlink_ip6fw_socket getattr;
allow sysadm_t domain:netlink_iscsi_socket getattr;
allow sysadm_t domain:netlink_kobject_uevent_socket getattr;
allow sysadm_t domain:netlink_netfilter_socket getattr;
allow sysadm_t domain:netlink_nflog_socket getattr;
allow sysadm_t domain:netlink_rdma_socket getattr;
allow sysadm_t domain:netlink_route_socket getattr;
allow sysadm_t domain:netlink_scsitransport_socket getattr;
allow sysadm_t domain:netlink_selinux_socket getattr;
allow sysadm_t domain:netlink_socket getattr;
allow sysadm_t domain:netlink_tcpdiag_socket getattr;
allow sysadm_t domain:netlink_xfrm_socket getattr;
allow sysadm_t domain:netrom_socket getattr;
allow sysadm_t domain:nfc_socket getattr;
allow sysadm_t domain:packet_socket getattr;
allow sysadm_t domain:phonet_socket getattr;
allow sysadm_t domain:pppox_socket getattr;
allow sysadm_t domain:process ptrace; [ deny_ptrace ]:False
allow sysadm_t domain:process { getattr getcap setsched sigchld sigkill signal signull sigstop };
allow sysadm_t domain:qipcrtr_socket getattr;
allow sysadm_t domain:rawip_socket getattr;
allow sysadm_t domain:rds_socket getattr;
allow sysadm_t domain:rose_socket getattr;
allow sysadm_t domain:rxrpc_socket getattr;
allow sysadm_t domain:sctp_socket getattr;
allow sysadm_t domain:smc_socket getattr;
allow sysadm_t domain:tcp_socket getattr;
allow sysadm_t domain:tipc_socket getattr;
allow sysadm_t domain:tun_socket getattr;
allow sysadm_t domain:udp_socket getattr;
allow sysadm_t domain:unix_dgram_socket getattr;
allow sysadm_t domain:unix_stream_socket getattr;
allow sysadm_t domain:vsock_socket getattr;
allow sysadm_t domain:x25_socket getattr;
allow sysadm_t domain:xdp_socket getattr;
allow sysadm_t svirt_sandbox_domain:process transition;
allow sysadm_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow syslogd_t domain:dir { getattr ioctl lock open read search };
allow syslogd_t domain:file { getattr ioctl lock open read };
allow syslogd_t domain:lnk_file { getattr read };
allow syslogd_t domain:process { getattr signull };
allow system_dbusd_t domain:dir { getattr ioctl lock open read search };
allow system_dbusd_t domain:file { getattr ioctl lock open read };
allow system_dbusd_t domain:lnk_file { getattr read };
allow system_munin_plugin_t domain:dir { getattr ioctl lock open read search };
allow system_munin_plugin_t domain:file { getattr ioctl lock open read };
allow system_munin_plugin_t domain:lnk_file { getattr read };
allow systemd_bootchart_t domain:dir { getattr ioctl lock open read search };
allow systemd_bootchart_t domain:file { getattr ioctl lock open read };
allow systemd_bootchart_t domain:lnk_file { getattr read };
allow systemd_coredump_t domain:dir { getattr ioctl lock open read search };
allow systemd_coredump_t domain:file { getattr ioctl lock open read };
allow systemd_coredump_t domain:lnk_file { getattr read };
allow systemd_homework_t domain:key { create read setattr view write };
allow systemd_logind_t container_domain:dbus send_msg;
allow systemd_logind_t container_domain:process getattr;
allow systemd_logind_t domain:dir { getattr ioctl lock open read search };
allow systemd_logind_t domain:file { getattr ioctl lock open read };
allow systemd_logind_t domain:lnk_file { getattr read };
allow systemd_logind_t domain:process { sigkill signal signull };
allow systemd_logind_t domain:sem destroy;
allow systemd_logind_t sandbox_net_domain:dbus send_msg;
allow systemd_logind_t sandbox_net_domain:process getattr;
allow systemd_machined_t domain:process { signal signull };
allow systemd_machined_t svirt_sandbox_domain:dir { getattr ioctl lock open read search };
allow systemd_machined_t svirt_sandbox_domain:file { getattr ioctl lock open read };
allow systemd_machined_t svirt_sandbox_domain:lnk_file { getattr read };
allow systemd_machined_t svirt_sandbox_domain:process getattr;
allow systemd_machined_t svirt_sandbox_domain:unix_stream_socket connectto;
allow systemd_passwd_agent_t domain:dir { getattr ioctl lock open read search };
allow systemd_passwd_agent_t domain:file { getattr ioctl lock open read };
allow systemd_passwd_agent_t domain:lnk_file { getattr read };
allow systemd_resolved_t domain:dbus send_msg;
allow systemd_resolved_t domain:dir { getattr ioctl lock open read search };
allow systemd_resolved_t domain:file { getattr ioctl lock open read };
allow systemd_resolved_t domain:lnk_file { getattr read };
allow systemd_resolved_t domain:process getattr;
allow tmpreaper_t domain:alg_socket getattr;
allow tmpreaper_t domain:appletalk_socket getattr;
allow tmpreaper_t domain:atmpvc_socket getattr;
allow tmpreaper_t domain:atmsvc_socket getattr;
allow tmpreaper_t domain:ax25_socket getattr;
allow tmpreaper_t domain:bluetooth_socket getattr;
allow tmpreaper_t domain:caif_socket getattr;
allow tmpreaper_t domain:can_socket getattr;
allow tmpreaper_t domain:dccp_socket getattr;
allow tmpreaper_t domain:decnet_socket getattr;
allow tmpreaper_t domain:dir { getattr ioctl lock open read search };
allow tmpreaper_t domain:fifo_file getattr;
allow tmpreaper_t domain:file { getattr ioctl lock open read };
allow tmpreaper_t domain:icmp_socket getattr;
allow tmpreaper_t domain:ieee802154_socket getattr;
allow tmpreaper_t domain:ipx_socket getattr;
allow tmpreaper_t domain:irda_socket getattr;
allow tmpreaper_t domain:isdn_socket getattr;
allow tmpreaper_t domain:iucv_socket getattr;
allow tmpreaper_t domain:kcm_socket getattr;
allow tmpreaper_t domain:llc_socket getattr;
allow tmpreaper_t domain:lnk_file { getattr read };
allow tmpreaper_t domain:mctp_socket getattr;
allow tmpreaper_t domain:netlink_audit_socket getattr;
allow tmpreaper_t domain:netlink_connector_socket getattr;
allow tmpreaper_t domain:netlink_crypto_socket getattr;
allow tmpreaper_t domain:netlink_dnrt_socket getattr;
allow tmpreaper_t domain:netlink_fib_lookup_socket getattr;
allow tmpreaper_t domain:netlink_firewall_socket getattr;
allow tmpreaper_t domain:netlink_generic_socket getattr;
allow tmpreaper_t domain:netlink_ip6fw_socket getattr;
allow tmpreaper_t domain:netlink_iscsi_socket getattr;
allow tmpreaper_t domain:netlink_kobject_uevent_socket getattr;
allow tmpreaper_t domain:netlink_netfilter_socket getattr;
allow tmpreaper_t domain:netlink_nflog_socket getattr;
allow tmpreaper_t domain:netlink_rdma_socket getattr;
allow tmpreaper_t domain:netlink_route_socket getattr;
allow tmpreaper_t domain:netlink_scsitransport_socket getattr;
allow tmpreaper_t domain:netlink_selinux_socket getattr;
allow tmpreaper_t domain:netlink_socket getattr;
allow tmpreaper_t domain:netlink_tcpdiag_socket getattr;
allow tmpreaper_t domain:netlink_xfrm_socket getattr;
allow tmpreaper_t domain:netrom_socket getattr;
allow tmpreaper_t domain:nfc_socket getattr;
allow tmpreaper_t domain:packet_socket getattr;
allow tmpreaper_t domain:phonet_socket getattr;
allow tmpreaper_t domain:pppox_socket getattr;
allow tmpreaper_t domain:qipcrtr_socket getattr;
allow tmpreaper_t domain:rawip_socket getattr;
allow tmpreaper_t domain:rds_socket getattr;
allow tmpreaper_t domain:rose_socket getattr;
allow tmpreaper_t domain:rxrpc_socket getattr;
allow tmpreaper_t domain:sctp_socket getattr;
allow tmpreaper_t domain:smc_socket getattr;
allow tmpreaper_t domain:tcp_socket getattr;
allow tmpreaper_t domain:tipc_socket getattr;
allow tmpreaper_t domain:tun_socket getattr;
allow tmpreaper_t domain:udp_socket getattr;
allow tmpreaper_t domain:unix_dgram_socket getattr;
allow tmpreaper_t domain:unix_stream_socket getattr;
allow tmpreaper_t domain:vsock_socket getattr;
allow tmpreaper_t domain:x25_socket getattr;
allow tmpreaper_t domain:xdp_socket getattr;
allow unconfined_domain_type container_domain:process { dyntransition transition };
allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition };
allow unconfined_domain_type domain:alg_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:appletalk_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:association recvfrom;
allow unconfined_domain_type domain:atmpvc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:atmsvc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:ax25_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:bluetooth_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
allow unconfined_domain_type domain:caif_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:can_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:dccp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind name_connect node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:decnet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:dir { getattr ioctl lock open read search watch };
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file { append getattr ioctl lock open read write };
allow unconfined_domain_type domain:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow unconfined_domain_type domain:icmp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:ieee802154_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:io_uring { cmd override_creds };
allow unconfined_domain_type domain:ipx_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:irda_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:isdn_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:iucv_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:kcm_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:key { create read setattr view write };
allow unconfined_domain_type domain:key_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:llc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:lnk_file { getattr ioctl lock read };
allow unconfined_domain_type domain:mctp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:msg { receive send };
allow unconfined_domain_type domain:msgq { associate create destroy enqueue getattr read setattr unix_read unix_write write };
allow unconfined_domain_type domain:netlink_audit_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_connector_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_crypto_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_dnrt_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_fib_lookup_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_firewall_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_generic_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_ip6fw_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_iscsi_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_kobject_uevent_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_netfilter_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_nflog_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_rdma_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_route_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_scsitransport_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_selinux_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_tcpdiag_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netlink_xfrm_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind nlmsg_read nlmsg_write read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:netrom_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:nfc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:packet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:peer recv;
allow unconfined_domain_type domain:perf_event { read write };
allow unconfined_domain_type domain:phonet_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:pppox_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop };
allow unconfined_domain_type domain:qipcrtr_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rawip_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rds_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rose_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:rxrpc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:sctp_socket { accept append association bind connect create getattr getopt ioctl listen lock map name_bind name_connect node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow unconfined_domain_type domain:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow unconfined_domain_type domain:smc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
allow unconfined_domain_type domain:tcp_socket { accept acceptfrom append bind connect connectto create getattr getopt ioctl listen lock map name_bind name_connect newconn node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:tipc_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:tun_socket { accept append attach_queue bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:udp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind node_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:unix_dgram_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:unix_stream_socket { accept acceptfrom append bind connect connectto create getattr getopt ioctl listen lock map name_bind newconn read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:vsock_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:x25_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_domain_type domain:xdp_socket { accept append bind connect create getattr getopt ioctl listen lock map name_bind read recv_msg recvfrom relabelfrom relabelto send_msg sendto setattr setopt shutdown write };
allow unconfined_t domain:process dyntransition; [ unconfined_dyntrans_all ]:True
allow unconfined_t domain:process transition;
allow useradd_t domain:dir { getattr ioctl lock open read search };
allow useradd_t domain:file { getattr ioctl lock open read };
allow useradd_t domain:lnk_file { getattr read };
allow userdomain container_domain:process transition;
allow virsh_t svirt_sandbox_domain:dir { getattr ioctl lock open read search };
allow virsh_t svirt_sandbox_domain:file { getattr ioctl lock open read };
allow virsh_t svirt_sandbox_domain:lnk_file { getattr read };
allow virsh_t svirt_sandbox_domain:process { getattr sigchld sigkill signal signull sigstop transition };
allow virsh_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow virtd_lxc_t svirt_sandbox_domain:process transition;
allow virtd_t svirt_sandbox_domain:process transition;
allow vmtools_unconfined_t domain:dbus send_msg;
allow watchdog_t domain:process { getsession sigchld sigkill signal signull sigstop };
allow zabbix_agent_t domain:dir { getattr ioctl lock open read search };
allow zabbix_agent_t domain:file { getattr ioctl lock open read };
allow zabbix_agent_t domain:lnk_file { getattr read };
allow zoneminder_t domain:dir { getattr ioctl lock open read search };
allow zoneminder_t domain:file { getattr ioctl lock open read };
allow zoneminder_t domain:lnk_file { getattr read };
^ permalink raw reply [flat|nested] 8+ messages in thread