File container.te of Package selinux-policy

policy_module(container, 2.232.1)

gen_require(`
	class passwd rootok;
')

########################################
#
# Declarations
#

## <desc>
##  <p>
##  Determine whether container can
##  connect to all TCP ports.
##  </p>
## </desc>
gen_tunable(container_connect_any, false)

## <desc>
##  <p>
##  Allow all container domains to read cert files and directories
##  </p>
## </desc>
gen_tunable(container_read_certs, false)

## <desc>
##  <p>
##  Determine whether sshd can launch container engines
##  </p>
## </desc>
gen_tunable(sshd_launch_containers, false)

## <desc>
##  <p>
##  Allow containers to use any device volume mounted into container
##  </p>
## </desc>
gen_tunable(container_use_devices, false)

## <desc>
##  <p>
##  Allow containers to use any xserver device volume mounted into container, mostly used for GPU acceleration
##  </p>
## </desc>
gen_tunable(container_use_xserver_devices, false)

## <desc>
##  <p>
##  Allow containers to use any dri device volume mounted into container
##  </p>
## </desc>
gen_tunable(container_use_dri_devices, true)

## <desc>
## <p>
## Allow sandbox containers to manage cgroup (systemd)
## </p>
## </desc>
gen_tunable(container_manage_cgroup, false)

## <desc>
##  <p>
##  Determine whether container can
##  use ceph file system
##  </p>
## </desc>
gen_tunable(container_use_cephfs, false)

## <desc>
##  <p>
##  Determine whether container can
##  use ecrypt file system
##  </p>
## </desc>
gen_tunable(container_use_ecryptfs, false)

attribute container_runtime_domain;
container_runtime_domain_template(container_runtime)
typealias container_runtime_t alias docker_t;

type container_runtime_exec_t alias docker_exec_t;
can_exec(container_runtime_t,container_runtime_exec_t)
attribute container_domain;
attribute container_user_domain;
attribute container_net_domain;
attribute container_init_domain;
attribute container_file_type;
allow container_runtime_domain container_domain:process { dyntransition transition };
allow container_domain container_runtime_domain:process sigchld;
allow container_runtime_domain container_domain:process2 { nnp_transition nosuid_transition };
dontaudit container_runtime_domain container_domain:process { noatsecure rlimitinh siginh };

type conmon_exec_t;
application_executable_file(conmon_exec_t)
can_exec(container_runtime_t, conmon_exec_t)
allow container_runtime_domain conmon_exec_t:file entrypoint;
ifdef(`enable_mcs',`
	range_transition container_runtime_t conmon_exec_t:process s0;
')
ifdef(`enable_mls',`
	range_transition container_runtime_t conmon_exec_t:process s0;
')

type spc_t;
domain_type(spc_t)
role system_r types spc_t;

type container_auth_t alias docker_auth_t;
type container_auth_exec_t alias docker_auth_exec_t;
init_daemon_domain(container_auth_t, container_auth_exec_t)

type spc_var_run_t;
files_pid_file(spc_var_run_t)

type kubernetes_file_t;
files_config_file(kubernetes_file_t)

type container_var_lib_t alias docker_var_lib_t;
files_type(container_var_lib_t)

type container_home_t alias docker_home_t;
userdom_user_home_content(container_home_t)

type container_config_t alias docker_config_t;
files_config_file(container_config_t)

type container_lock_t alias docker_lock_t;
files_lock_file(container_lock_t)

type container_log_t alias docker_log_t;
logging_log_file(container_log_t)

type container_runtime_tmp_t alias docker_tmp_t;
files_tmp_file(container_runtime_tmp_t)

type container_runtime_tmpfs_t alias docker_tmpfs_t;
files_tmpfs_file(container_runtime_tmpfs_t)

type container_var_run_t alias docker_var_run_t;
files_pid_file(container_var_run_t)

type container_plugin_var_run_t alias docker_plugin_var_run_t;
files_pid_file(container_plugin_var_run_t)

type container_unit_file_t alias docker_unit_file_t;
systemd_unit_file(container_unit_file_t)

type container_devpts_t alias docker_devpts_t;
term_pty(container_devpts_t)

typealias container_ro_file_t alias { container_share_t docker_share_t };
typeattribute container_ro_file_t container_file_type, user_home_type;
files_mountpoint(container_ro_file_t)
userdom_user_home_content(container_ro_file_t)

type container_port_t alias docker_port_t;
corenet_port(container_port_t)

init_daemon_domain(container_runtime_t, container_runtime_exec_t)
#ifdef(`enable_mcs',`
#	init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mcs_systemhigh)
#')

ifdef(`enable_mls',`
	init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh)
')
mls_trusted_object(container_runtime_t)


########################################
#
# container local policy
#
allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource };
allow container_runtime_domain self:tun_socket { create_socket_perms relabelto };
allow container_runtime_domain self:process ~setcurrent;
allow container_runtime_domain self:passwd rootok;
allow container_runtime_domain self:fd use;
allow container_runtime_domain self:dir mounton;
allow container_runtime_domain self:file mounton;

allow container_runtime_domain self:fifo_file rw_fifo_file_perms;
allow container_runtime_domain self:fifo_file manage_file_perms;
allow container_runtime_domain self:msg all_msg_perms;
allow container_runtime_domain self:sem create_sem_perms;
allow container_runtime_domain self:shm create_shm_perms;
allow container_runtime_domain self:msgq create_msgq_perms;
allow container_runtime_domain self:unix_stream_socket create_stream_socket_perms;
allow container_runtime_domain self:tcp_socket create_stream_socket_perms;
allow container_runtime_domain self:udp_socket create_socket_perms;
allow container_runtime_domain self:capability2 block_suspend;
allow container_runtime_domain container_port_t:tcp_socket name_bind;
allow container_runtime_domain port_t:icmp_socket name_bind;
allow container_runtime_domain self:filesystem associate;
allow container_runtime_domain self:packet_socket create_socket_perms;
allow container_runtime_domain self:socket create_socket_perms;
allow container_runtime_domain self:rawip_socket create_stream_socket_perms;
allow container_runtime_domain self:netlink_netfilter_socket create_socket_perms;
allow container_runtime_domain self:netlink_kobject_uevent_socket create_socket_perms;
allow container_runtime_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow container_runtime_domain self:netlink_socket create_socket_perms;

corenet_tcp_bind_generic_node(container_runtime_domain)
corenet_udp_bind_generic_node(container_runtime_domain)
corenet_raw_bind_generic_node(container_runtime_domain)
corenet_tcp_sendrecv_all_ports(container_runtime_domain)
corenet_udp_sendrecv_all_ports(container_runtime_domain)
corenet_udp_bind_all_ports(container_runtime_domain)
corenet_tcp_bind_all_ports(container_runtime_domain)
corenet_tcp_connect_all_ports(container_runtime_domain)
corenet_sctp_bind_all_ports(container_net_domain)
corenet_sctp_connect_all_ports(container_net_domain)
corenet_rw_tun_tap_dev(container_runtime_domain)

container_auth_stream_connect(container_runtime_domain)

manage_files_pattern(container_runtime_domain, container_file_type, container_file_type)
manage_lnk_files_pattern(container_runtime_domain, container_file_type, container_file_type)
manage_blk_files_pattern(container_runtime_domain, container_file_type, container_file_type)
allow container_runtime_domain container_domain:key manage_key_perms;
manage_sock_files_pattern(container_runtime_domain, container_file_type, container_file_type)
allow container_runtime_domain container_file_type:dir_file_class_set {relabelfrom relabelto execmod};
allow container_runtime_domain container_file_type:dir_file_class_set mmap_file_perms;

manage_files_pattern(container_runtime_domain, container_home_t, container_home_t)
manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t)
manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t)
userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container")
userdom_manage_user_home_content(container_runtime_domain)
userdom_map_user_home_files(container_runtime_t)

manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t)
manage_files_pattern(container_runtime_domain, container_config_t, container_config_t)
files_etc_filetrans(container_runtime_domain, container_config_t, dir, "containers")

manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t)
manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t)
files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc")
files_manage_generic_locks(container_runtime_domain)

manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t)
manage_files_pattern(container_runtime_domain, container_log_t, container_log_t)
manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t)

logging_read_syslog_pid(container_runtime_domain)
logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file })

allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto };
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log")
allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint;

manage_dirs_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)
manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t)

manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
manage_fifo_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
manage_chr_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t)
allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom;
can_exec(container_runtime_domain, container_runtime_tmpfs_t)
fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, dir_file_class_set)
allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton;

manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_sock_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto };
can_exec(container_runtime_domain, container_ro_file_t)

manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)

manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)
manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t)

filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init")
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay")
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2")
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "config.env")
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hostname")
filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hosts")

#container_filetrans_named_content(container_runtime_domain)

manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t)
allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto };
files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file })
files_var_filetrans(container_runtime_domain, container_var_lib_t, dir, "containers")

manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
manage_fifo_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t)
files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file })
allow container_runtime_domain container_var_run_t:dir_file_class_set relabelfrom;

allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(container_runtime_domain, container_devpts_t)
term_use_all_ttys(container_runtime_domain)
term_use_all_inherited_terms(container_runtime_domain)

mls_file_read_to_clearance(container_runtime_t)
mls_file_relabel_to_clearance(container_runtime_t)
mls_file_write_to_clearance(container_runtime_t)
mls_process_read_to_clearance(container_runtime_t)
mls_process_write_to_clearance(container_runtime_t)
mls_socket_read_to_clearance(container_runtime_t)
mls_socket_write_to_clearance(container_runtime_t)
mls_sysvipc_read_to_clearance(container_runtime_t)
mls_sysvipc_write_to_clearance(container_runtime_t)

kernel_read_network_state(container_runtime_domain)
kernel_read_all_sysctls(container_runtime_domain)
kernel_rw_net_sysctls(container_runtime_domain)
kernel_setsched(container_runtime_domain)
kernel_rw_all_sysctls(container_runtime_domain)
kernel_mounton_all_proc(container_runtime_domain)
fs_getattr_all_fs(container_runtime_domain)

domain_obj_id_change_exemption(container_runtime_t)
domain_subj_id_change_exemption(container_runtime_t)
domain_role_change_exemption(container_runtime_t)
domain_use_interactive_fds(container_runtime_domain)
domain_dontaudit_read_all_domains_state(container_runtime_domain)
domain_sigchld_all_domains(container_runtime_domain)
domain_use_interactive_fds(container_runtime_domain)
domain_read_all_domains_state(container_runtime_domain)
domain_getattr_all_domains(container_runtime_domain)

userdom_map_tmp_files(container_runtime_domain)

anaconda_domtrans_install(container_runtime_domain)

optional_policy(`
	gnome_map_generic_data_home_files(container_runtime_domain)
	allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
')

gen_require(`
	attribute domain;
')

allow container_runtime_domain domain:fifo_file rw_fifo_file_perms;
allow container_runtime_domain domain:fd use;

corecmd_exec_bin(container_runtime_domain)
corecmd_exec_shell(container_runtime_domain)
corecmd_exec_all_executables(container_runtime_domain)
corecmd_bin_entry_type(container_runtime_domain)
corecmd_shell_entry_type(container_runtime_domain)

corenet_tcp_bind_generic_node(container_runtime_domain)
corenet_tcp_sendrecv_generic_if(container_runtime_domain)
corenet_tcp_sendrecv_generic_node(container_runtime_domain)
corenet_tcp_sendrecv_generic_port(container_runtime_domain)
corenet_tcp_bind_all_ports(container_runtime_domain)
corenet_tcp_connect_http_port(container_runtime_domain)
corenet_tcp_connect_commplex_main_port(container_runtime_domain)
corenet_udp_sendrecv_generic_if(container_runtime_domain)
corenet_udp_sendrecv_generic_node(container_runtime_domain)
corenet_udp_sendrecv_all_ports(container_runtime_domain)
corenet_udp_bind_generic_node(container_runtime_domain)
corenet_udp_bind_all_ports(container_runtime_domain)

files_read_kernel_modules(container_runtime_domain)
files_read_config_files(container_runtime_domain)
files_dontaudit_getattr_all_dirs(container_runtime_domain)
files_dontaudit_getattr_all_files(container_runtime_domain)
files_execmod_all_files(container_runtime_domain)
files_search_all(container_runtime_domain)
files_read_usr_symlinks(container_runtime_domain)
files_search_locks(container_runtime_domain)
files_dontaudit_unmount_all_mountpoints(container_runtime_domain)

fs_read_cgroup_files(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
fs_search_all(container_runtime_domain)
fs_getattr_all_fs(container_runtime_domain)
fs_rw_onload_sockets(container_runtime_domain)

auth_dontaudit_getattr_shadow(container_runtime_domain)

init_read_state(container_runtime_domain)
init_status(container_runtime_domain)
init_stop(container_runtime_domain)
init_start(container_runtime_domain)
init_manage_config_transient_files(container_runtime_domain)

logging_send_audit_msgs(container_runtime_domain)

miscfiles_read_localization(container_runtime_domain)
miscfiles_dontaudit_access_check_cert(container_runtime_domain)
miscfiles_dontaudit_setattr_fonts_cache_dirs(container_runtime_domain)
miscfiles_read_fonts(container_runtime_domain)
miscfiles_read_hwdata(container_runtime_domain)
fs_relabel_cgroup_dirs(container_runtime_domain)
# fs_relabel_cgroup_files(container_runtime_domain)
allow container_runtime_domain container_domain:file relabelfrom;

mount_domtrans(container_runtime_domain)

seutil_read_default_contexts(container_runtime_domain)
seutil_read_config(container_runtime_domain)

sysnet_dns_name_resolve(container_runtime_domain)
sysnet_exec_ifconfig(container_runtime_domain)

optional_policy(`
	cron_system_entry(container_runtime_t, container_runtime_exec_t)
')

optional_policy(`
	ssh_use_ptys(container_runtime_domain)
')

optional_policy(`
	rpm_exec(container_runtime_domain)
	rpm_read_cache(container_runtime_domain)
	rpm_read_db(container_runtime_domain)
	rpm_exec(container_runtime_domain)
')

optional_policy(`
	fstools_domtrans(container_runtime_domain)
')

optional_policy(`
	gen_require(`
		role unconfined_r;
	')
	iptables_run(container_runtime_domain, unconfined_r)

	container_read_pid_files(iptables_t)
	container_read_state(iptables_t)
	container_append_file(iptables_t)
	allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms;
	allow iptables_t container_file_type:dir list_dir_perms;
')

optional_policy(`
	openvswitch_stream_connect(container_runtime_domain)
')

optional_policy(`
	gen_require(`
		attribute named_filetrans_domain;
	')
	container_filetrans_named_content(named_filetrans_domain)
')

#
# lxc rules
#

allow container_runtime_domain self:capability ~{ sys_module };
allow container_runtime_domain self:capability2 ~{ mac_override mac_admin };
allow container_runtime_domain self:cap_userns ~{ sys_module };
allow container_runtime_domain self:cap2_userns ~{ mac_override mac_admin };

allow container_runtime_domain self:process { getcap setcap setexec setpgid setsched signal_perms };

allow container_runtime_domain self:netlink_route_socket rw_netlink_socket_perms;;
allow container_runtime_domain self:netlink_xfrm_socket create_netlink_socket_perms;
allow container_runtime_domain self:netlink_audit_socket create_netlink_socket_perms;
allow container_runtime_domain self:unix_dgram_socket { create_socket_perms sendto };
allow container_runtime_domain self:unix_stream_socket { create_stream_socket_perms connectto };

allow container_runtime_domain container_var_lib_t:dir mounton;
allow container_runtime_domain container_var_lib_t:chr_file mounton;
can_exec(container_runtime_domain, container_var_lib_t)

kernel_dontaudit_setsched(container_runtime_domain)
kernel_get_sysvipc_info(container_runtime_domain)
kernel_request_load_module(container_runtime_domain)
kernel_mounton_messages(container_runtime_domain)
kernel_mounton_all_proc(container_runtime_domain)
kernel_mounton_all_sysctls(container_runtime_domain)
kernel_list_all_proc(container_runtime_domain)
kernel_read_all_sysctls(container_runtime_domain)
kernel_rw_net_sysctls(container_runtime_domain)
kernel_rw_unix_sysctls(container_runtime_domain)
kernel_dontaudit_search_kernel_sysctl(container_runtime_domain)
kernel_dontaudit_access_check_proc(container_runtime_domain)
kernel_dontaudit_setattr_proc_files(container_runtime_domain)
kernel_dontaudit_setattr_proc_dirs(container_runtime_domain)
kernel_dontaudit_write_usermodehelper_state(container_runtime_domain)

dev_setattr_null_dev(container_runtime_t)
dev_getattr_all(container_runtime_domain)
dev_getattr_sysfs_fs(container_runtime_domain)
dev_read_rand(container_runtime_domain)
dev_read_urand(container_runtime_domain)
dev_read_lvm_control(container_runtime_domain)
dev_rw_sysfs(container_runtime_domain)
dev_rw_loop_control(container_runtime_domain)
dev_rw_lvm_control(container_runtime_domain)
dev_read_mtrr(container_runtime_domain)

userdom_map_user_home_files(container_runtime_t)

files_getattr_isid_type_dirs(container_runtime_domain)
files_manage_isid_type_dirs(container_runtime_domain)
files_manage_isid_type_files(container_runtime_domain)
files_manage_isid_type_symlinks(container_runtime_domain)
files_manage_isid_type_chr_files(container_runtime_domain)
files_manage_isid_type_blk_files(container_runtime_domain)
files_manage_etc_dirs(container_runtime_domain)
files_manage_etc_files(container_runtime_domain)
files_exec_isid_files(container_runtime_domain)
files_mounton_isid(container_runtime_domain)
files_mounton_non_security(container_runtime_domain)
files_mounton_isid_type_chr_file(container_runtime_domain)

files_mounton_isid(container_runtime_domain)
fs_getattr_all_fs(container_runtime_domain)
fs_list_hugetlbfs(container_runtime_domain)
fs_manage_cgroup_dirs(container_runtime_domain)
fs_manage_cgroup_files(container_runtime_domain)
fs_manage_hugetlbfs_files(container_runtime_domain)
fs_mount_all_fs(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
fs_read_tmpfs_symlinks(container_runtime_domain)
fs_relabelfrom_tmpfs(container_runtime_domain)
fs_relabelfrom_xattr_fs(container_runtime_domain)
fs_remount_all_fs(container_runtime_domain)
fs_rw_inherited_tmpfs_files(container_runtime_domain)
fs_rw_nsfs_files(container_runtime_domain)
fs_search_tmpfs(container_runtime_domain)
fs_set_xattr_fs_quotas(container_runtime_domain)
fs_unmount_all_fs(container_runtime_domain)


term_use_generic_ptys(container_runtime_domain)
term_use_ptmx(container_runtime_domain)
term_getattr_pty_fs(container_runtime_domain)
term_relabel_pty_fs(container_runtime_domain)
term_mounton_unallocated_ttys(container_runtime_domain)

modutils_domtrans_kmod(container_runtime_domain)

systemd_status_all_unit_files(container_runtime_domain)
systemd_start_systemd_services(container_runtime_domain)
systemd_dbus_chat_logind(container_runtime_domain)
systemd_chat_resolved(container_runtime_domain)

userdom_stream_connect(container_runtime_domain)
userdom_search_user_home_content(container_runtime_domain)
userdom_read_all_users_state(container_runtime_domain)
userdom_relabel_user_home_files(container_runtime_domain)
userdom_relabel_user_tmp_files(container_runtime_domain)
userdom_relabel_user_tmp_dirs(container_runtime_domain)
userdom_use_inherited_user_terminals(container_runtime_domain)
userdom_use_user_ptys(container_runtime_domain)
userdom_connectto_stream(container_runtime_domain)
allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };

tunable_policy(`virt_use_nfs',`
	fs_manage_nfs_dirs(container_runtime_domain)
	fs_manage_nfs_files(container_runtime_domain)
	fs_manage_nfs_named_sockets(container_runtime_domain)
	fs_manage_nfs_symlinks(container_runtime_domain)
	fs_remount_nfs(container_runtime_domain)
	fs_mount_nfs(container_runtime_domain)
	fs_exec_nfs_files(container_runtime_domain)
	kernel_rw_fs_sysctls(container_runtime_domain)
	allow container_runtime_domain nfs_t:file execmod;
')

tunable_policy(`virt_use_samba',`
	fs_manage_cifs_files(container_runtime_domain)
	fs_manage_cifs_dirs(container_runtime_domain)
	fs_manage_cifs_named_sockets(container_runtime_domain)
	fs_manage_cifs_symlinks(container_runtime_domain)
	fs_exec_cifs_files(container_runtime_domain)
	allow container_runtime_domain cifs_t:file execmod;

	fs_manage_cifs_files(container_domain)
	fs_manage_cifs_dirs(container_domain)
	fs_manage_cifs_named_sockets(container_domain)
	fs_manage_cifs_symlinks(container_domain)
	fs_exec_cifs_files(container_domain)
	allow container_domain cifs_t:file execmod;
')

tunable_policy(`virt_use_nfs',`
	fs_manage_nfs_dirs(container_domain)
	fs_manage_nfs_files(container_domain)
	fs_manage_nfs_named_sockets(container_domain)
	fs_manage_nfs_symlinks(container_domain)
	fs_mount_nfs(container_domain)
	fs_unmount_nfs(container_domain)
	fs_exec_nfs_files(container_domain)
	allow container_domain nfs_t:file execmod;
')

gen_require(`
	type cephfs_t;
')

tunable_policy(`container_use_cephfs',`
	manage_files_pattern(container_domain, cephfs_t, cephfs_t)
	manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t)
	manage_dirs_pattern(container_domain, cephfs_t, cephfs_t)
	exec_files_pattern(container_domain, cephfs_t, cephfs_t)
	allow container_domain cephfs_t:file execmod;
')

tunable_policy(`container_read_certs',`
	miscfiles_read_all_certs(container_domain)
')

gen_require(`
	type ecryptfs_t;
')

tunable_policy(`container_use_ecryptfs',`
	manage_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
	manage_lnk_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
	manage_dirs_pattern(container_domain, ecryptfs_t, ecryptfs_t)
	exec_files_pattern(container_domain, ecryptfs_t, ecryptfs_t)
	allow container_domain ecryptfs_t:file execmod;
')

fs_manage_fusefs_named_sockets(container_runtime_domain)
fs_manage_fusefs_dirs(container_runtime_domain)
fs_manage_fusefs_files(container_runtime_domain)
fs_manage_fusefs_symlinks(container_runtime_domain)
fs_mount_fusefs(container_runtime_domain)
fs_exec_fusefs_files(container_runtime_domain)
storage_rw_fuse(container_runtime_domain)

files_search_all(container_domain)
container_read_share_files(container_domain)
container_exec_share_files(container_domain)
allow container_domain container_ro_file_t:file execmod;
container_lib_filetrans(container_domain,container_file_t, sock_file)
container_use_ptys(container_domain)
container_spc_stream_connect(container_domain)

optional_policy(`
	apache_exec_modules(container_runtime_domain)
	apache_read_sys_content(container_runtime_domain)
')

optional_policy(`
	gpm_getattr_gpmctl(container_runtime_domain)
')

optional_policy(`
	dbus_system_bus_client(container_runtime_domain)
	dbus_session_bus_client(container_runtime_domain)
	init_dbus_chat(container_runtime_domain)
	init_start_transient_unit(container_runtime_domain)

	optional_policy(`
		systemd_dbus_chat_logind(container_runtime_domain)
		systemd_dbus_chat_machined(container_runtime_domain)
	')

	optional_policy(`
		dnsmasq_dbus_chat(container_runtime_domain)
	')

	optional_policy(`
		firewalld_dbus_chat(container_runtime_domain)
	')
')

optional_policy(`
	lvm_domtrans(container_runtime_domain)
')

optional_policy(`
	gen_require(`
		type systemd_logind_t;
	')

	domtrans_pattern(systemd_logind_t, container_runtime_exec_t , container_runtime_t)
	container_manage_dirs(systemd_logind_t)
	container_manage_files(systemd_logind_t)
')

optional_policy(`
	udev_read_db(container_runtime_domain)
')

optional_policy(`
	gen_require(`
		role unconfined_r;
	')
	role unconfined_r types container_user_domain;
	role unconfined_r types spc_t;
	unconfined_domain(container_runtime_t)
	unconfined_run_to(container_runtime_t, container_runtime_exec_t)
	allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map };
	allow container_runtime_domain unconfined_t:fifo_file setattr;
	allow unconfined_domain_type container_domain:process {transition dyntransition};
	allow unconfined_t unlabeled_t:key manage_key_perms;
	allow container_runtime_t unconfined_t:process transition;
	allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint;
	fs_fusefs_entrypoint(unconfined_domain_type)

	domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t)
')

optional_policy(`
	gen_require(`
		type virtd_lxc_t;
	')
	virt_read_config(container_runtime_domain)
	virt_exec(container_runtime_domain)
	virt_stream_connect(container_runtime_domain)
	virt_stream_connect_sandbox(container_runtime_domain)
	virt_exec_sandbox_files(container_runtime_domain)
	virt_manage_sandbox_files(container_runtime_domain)
	virt_relabel_sandbox_filesystem(container_runtime_domain)
	# for lxc
	virt_mounton_sandbox_file(container_runtime_domain)
#	virt_attach_sandbox_tun_iface(container_runtime_domain)
	allow container_runtime_domain container_domain:tun_socket relabelfrom;
	virt_sandbox_entrypoint(container_runtime_domain)
	allow container_runtime_domain virtd_lxc_t:unix_stream_socket { rw_stream_socket_perms connectto };

')

tunable_policy(`container_connect_any',`
    corenet_tcp_connect_all_ports(container_runtime_domain)
    corenet_sendrecv_all_packets(container_runtime_domain)
    corenet_tcp_sendrecv_all_ports(container_runtime_domain)
')

########################################
#
# spc local policy
#
allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint;
role system_r types spc_t;

domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t)
domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t)
domtrans_pattern(container_runtime_domain, fusefs_t, spc_t)
fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file })

allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition };
allow spc_t container_file_type:file execmod;

admin_pattern(spc_t, kubernetes_file_t)

allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms;
allow spc_t { container_ro_file_t container_file_t }:system module_load;

allow container_runtime_domain spc_t:process { dyntransition setsched signal_perms };
ps_process_pattern(container_runtime_domain, spc_t)
allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom };
allow spc_t unlabeled_t:key manage_key_perms;
allow spc_t unlabeled_t:socket_class_set create_socket_perms;
fs_fusefs_entrypoint(spc_t)
corecmd_entrypoint_all_executables(spc_t)

init_dbus_chat(spc_t)

optional_policy(`
	systemd_dbus_chat_machined(spc_t)
	systemd_dbus_chat_logind(spc_t)
	systemd_dbus_chat_timedated(spc_t)
	systemd_dbus_chat_localed(spc_t)
')

domain_transition_all(spc_t)

anaconda_domtrans_install(spc_t)

optional_policy(`
	dbus_chat_system_bus(spc_t)
	dbus_chat_session_bus(spc_t)
	dnsmasq_dbus_chat(spc_t)
')

optional_policy(`
	unconfined_domain_noaudit(spc_t)
	domain_ptrace_all_domains(spc_t)
	# This should eventually be in upstream policy.
	# https://github.com/fedora-selinux/selinux-policy/pull/806
	allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run };
	allow daemon spc_t:dbus send_msg;
')

optional_policy(`
	virt_transition_svirt_sandbox(spc_t, system_r)
	virt_sandbox_entrypoint(spc_t)
	virt_sandbox_domtrans(container_runtime_domain, spc_t)
	virt_transition_svirt(spc_t, system_r)
	virt_sandbox_entrypoint(container_file_t)
	virt_sandbox_entrypoint(container_ro_file_t)

	gen_require(`
		attribute virt_domain;
		type virtd_t;
		role unconfined_r;
	')
	role unconfined_r types virt_domain;
	role unconfined_r types virtd_t;
	container_spc_read_state(virt_domain)
	container_spc_rw_pipes(virt_domain)
	allow container_runtime_t virtd_t:process transition;
	allow container_runtime_t virt_domain:process transition;
	allow virt_domain container_file_t:file entrypoint;
	allow virtd_t container_file_t:file entrypoint;
	manage_files_pattern(virt_domain, container_file_t, container_file_t)
	manage_dirs_pattern(virt_domain, container_file_t, container_file_t)
	manage_lnk_files_pattern(virt_domain, container_file_t, container_file_t)
	read_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t)
	read_lnk_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t)

	can_exec(virt_domain, container_file_t)

	manage_files_pattern(virtd_t, container_file_t, container_file_t)
	manage_dirs_pattern(virtd_t, container_file_t, container_file_t)
	manage_lnk_files_pattern(virtd_t, container_file_t, container_file_t)
	read_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t)
	read_lnk_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t)

	can_exec(virtd_t, container_file_t)


')

########################################
#
# container_auth local policy
#
allow container_auth_t self:fifo_file rw_fifo_file_perms;
allow container_auth_t self:unix_stream_socket create_stream_socket_perms;
dontaudit container_auth_t self:capability net_admin;

container_stream_connect(container_auth_t)

manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t)
files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file })

stream_connect_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t)
list_dirs_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t)

domain_use_interactive_fds(container_auth_t)

kernel_read_net_sysctls(container_auth_t)

auth_use_nsswitch(container_auth_t)

files_read_etc_files(container_auth_t)

miscfiles_read_localization(container_auth_t)

sysnet_dns_name_resolve(container_auth_t)

########################################
#
# container_t local policy
#
# Currently this is called in virt.te
# virt_sandbox_domain_template(container)
# typealias container_t alias svirt_lxc_net_t;
gen_require(`
	type container_t;
	type container_file_t;
')
container_manage_files_template(container, container)

typeattribute container_file_t container_file_type, user_home_type;
typeattribute container_t container_domain, container_net_domain, container_user_domain;
allow container_user_domain self:process getattr;
allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint;
allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms;
allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map };
allow container_domain container_runtime_t:unix_dgram_socket sendto;

allow container_domain container_runtime_domain:tun_socket relabelfrom;
allow container_domain container_runtime_domain:fd use;
allow container_runtime_domain container_domain:fd use;
allow container_domain self:socket_class_set { create_socket_perms map accept };
allow container_domain self:lnk_file setattr;
allow container_domain self:user_namespace create;

dontaudit container_domain self:capability fsetid;
allow container_domain self:association sendto;
allow container_domain self:dir list_dir_perms;
dontaudit container_domain self:dir { write add_name };
allow container_domain self:file rw_file_perms;
allow container_domain self:lnk_file read_file_perms;
allow container_domain self:fifo_file create_fifo_file_perms;
allow container_domain self:fifo_file watch;
allow container_domain self:filesystem associate;
allow container_domain self:key manage_key_perms;
allow container_domain self:netlink_route_socket r_netlink_socket_perms;
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
allow container_domain self:netlink_xfrm_socket create_socket_perms;
allow container_domain self:packet_socket create_socket_perms;
allow container_domain self:passwd rootok;
allow container_domain self:peer recv;
allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate};
allow container_domain self:sem create_sem_perms;
allow container_domain self:shm create_shm_perms;
allow container_domain self:socket create_socket_perms;
allow container_domain self:tcp_socket create_socket_perms;
allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue };
allow container_domain self:udp_socket create_socket_perms;
allow container_domain self:unix_dgram_socket create_socket_perms;
allow container_domain self:unix_stream_socket create_stream_socket_perms;
dontaudit container_domain self:capability2  block_suspend ;
allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms };
fs_fusefs_entrypoint(spc_t)

container_read_share_files(container_domain)
container_exec_share_files(container_domain)
container_use_ptys(container_domain)
container_spc_stream_connect(container_domain)

dev_dontaudit_mounton_sysfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
dev_dontaudit_mounton_sysfs(container_domain)
dev_getattr_mtrr_dev(container_domain)
dev_list_sysfs(container_domain)
dev_mounton_sysfs(container_t)
dev_read_mtrr(container_domain)
dev_read_rand(container_domain)
dev_read_sysfs(container_domain)
dev_read_urand(container_domain)
dev_rw_inherited_dri(container_domain)
dev_rw_kvm(container_domain)
dev_rwx_zero(container_domain)
dev_write_rand(container_domain)
dev_write_urand(container_domain)
allow container_domain sysfs_t:dir watch;

dontaudit container_domain container_runtime_tmpfs_t:dir read;
allow container_domain container_runtime_tmpfs_t:dir mounton;
can_exec(container_domain, container_runtime_tmpfs_t)

allow container_domain self:key manage_key_perms;
dontaudit container_domain container_domain:key search;

allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
allow container_domain self:fifo_file manage_file_perms;
allow container_domain self:msg all_msg_perms;
allow container_domain self:sem create_sem_perms;
allow container_domain self:shm create_shm_perms;
allow container_domain self:msgq create_msgq_perms;
allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow container_domain self:unix_dgram_socket { sendto create_socket_perms };
allow container_domain self:passwd rootok;
allow container_domain self:filesystem associate;
allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write };

kernel_getattr_proc(container_domain)
kernel_list_all_proc(container_domain)
kernel_read_all_sysctls(container_domain)
kernel_dontaudit_write_kernel_sysctl(container_domain)
kernel_read_network_state(container_domain)
kernel_rw_net_sysctls(container_domain)
kernel_rw_unix_sysctls(container_domain)
kernel_dontaudit_search_kernel_sysctl(container_domain)
kernel_dontaudit_access_check_proc(container_domain)
kernel_dontaudit_setattr_proc_files(container_domain)
kernel_dontaudit_setattr_proc_dirs(container_domain)
kernel_dontaudit_write_usermodehelper_state(container_domain)
kernel_read_irq_sysctls(container_domain)
kernel_get_sysvipc_info(container_domain)

fs_dontaudit_getattr_all_dirs(container_domain)
fs_dontaudit_getattr_all_files(container_domain)
fs_dontaudit_remount_tmpfs(container_domain)
fs_dontaudit_remount_tmpfs(container_domain)
fs_exec_fusefs_files(container_domain)
fs_exec_hugetlbfs_files(container_domain)
fs_fusefs_entrypoint(container_domain)
fs_getattr_all_fs(container_domain)
fs_list_cgroup_dirs(container_domain)
fs_list_hugetlbfs(container_domain)
fs_manage_bpf_files(container_domain)
fs_manage_fusefs_dirs(container_domain)
fs_manage_fusefs_files(container_domain)
fs_manage_fusefs_named_pipes(container_domain)
fs_manage_fusefs_named_sockets(container_domain)
fs_manage_fusefs_symlinks(container_domain)
fs_manage_hugetlbfs_files(container_domain)
fs_mount_fusefs(container_domain)
fs_unmount_fusefs(container_domain)
fs_mount_tmpfs(container_domain)
fs_unmount_tmpfs(container_domain)
fs_mount_xattr_fs(container_domain)
fs_unmount_xattr_fs(container_domain)
fs_mounton_cgroup(container_domain)
fs_mounton_fusefs(container_domain)
fs_read_cgroup_files(container_domain)
fs_read_nsfs_files(container_domain)
fs_read_tmpfs_symlinks(container_domain)
fs_remount_xattr_fs(container_domain)
fs_rw_inherited_tmpfs_files(container_domain)
fs_rw_onload_sockets(container_domain)
fs_search_tmpfs(container_domain)
fs_unmount_cgroup(container_domain)
fs_unmount_fusefs(container_domain)
fs_unmount_nsfs(container_domain)
fs_unmount_xattr_fs(container_domain)

term_use_all_inherited_terms(container_domain)

userdom_use_user_ptys(container_domain)
userdom_rw_inherited_user_pipes(container_domain)

domain_user_exemption_target(container_t)
domain_dontaudit_link_all_domains_keyrings(container_domain)
domain_dontaudit_search_all_domains_keyrings(container_domain)
domain_dontaudit_search_all_domains_state(container_domain)

virt_sandbox_net_domain(container_t)

logging_send_syslog_msg(container_t)

gen_require(`
	type container_file_t;
')
# fs_associate_cgroupfs(container_file_t)
gen_require(`
	type cgroup_t;
')

files_read_kernel_modules(container_domain)

allow container_file_t cgroup_t:filesystem associate;
term_pty(container_file_t)
logging_log_file(container_file_t)
tunable_policy(`virt_sandbox_use_sys_admin',`
	allow container_t self:capability sys_admin;
	allow container_t self:cap_userns sys_admin;
')

allow container_domain self:cap_userns sys_admin;
allow container_domain self:process { getsession execstack execmem };

corenet_unconfined(container_t)

optional_policy(`
	virt_default_capabilities(container_t)
')
kernel_rw_rpc_sysctls(container_domain)
kernel_rw_net_sysctls(container_domain)
kernel_read_messages(container_t)
kernel_read_network_state(container_domain)
kernel_dontaudit_write_proc_files(container_domain)

# Container Net Domain
corenet_tcp_bind_generic_node(container_net_domain)
corenet_udp_bind_generic_node(container_net_domain)
corenet_raw_bind_generic_node(container_net_domain)
corenet_tcp_sendrecv_all_ports(container_net_domain)
corenet_udp_sendrecv_all_ports(container_net_domain)
corenet_udp_bind_all_ports(container_net_domain)
corenet_tcp_bind_all_ports(container_net_domain)
corenet_tcp_connect_all_ports(container_net_domain)

allow container_net_domain self:udp_socket create_socket_perms;
allow container_net_domain self:tcp_socket create_stream_socket_perms;
allow container_net_domain self:tun_socket create_socket_perms;
allow container_net_domain self:netlink_route_socket create_netlink_socket_perms;
allow container_net_domain self:sctp_socket listen;
allow container_net_domain self:packet_socket create_socket_perms;
allow container_net_domain self:socket create_socket_perms;
allow container_net_domain self:rawip_socket create_stream_socket_perms;
allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms;

allow container_domain spc_t:unix_stream_socket { read write };
kernel_unlabeled_domtrans(container_runtime_domain, spc_t)
kernel_unlabeled_entry_type(spc_t)
allow container_runtime_domain unlabeled_t:key manage_key_perms;
#kernel_dontaudit_write_usermodehelper_state(container_t)
gen_require(`
	type usermodehelper_t;
')
dontaudit container_domain usermodehelper_t:file write;

sysnet_read_config(container_domain)

allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };

optional_policy(`
	gssproxy_stream_connect(container_domain)
')

optional_policy(`
	rpm_read_cache(container_domain)
	rpm_read_db(container_domain)
	rpm_transition_script(spc_t, system_r)
')

optional_policy(`
	sssd_stream_connect(container_domain)
')

optional_policy(`
	systemd_dbus_chat_logind(container_domain)
')

tunable_policy(`container_manage_cgroup',`
	fs_manage_cgroup_dirs(container_domain)
	fs_manage_cgroup_files(container_domain)
')

storage_rw_fuse(container_domain)
allow container_domain fusefs_t:file { mounton execmod };
allow container_domain fusefs_t:filesystem remount;

tunable_policy(`virt_sandbox_use_netlink',`
	allow container_domain self:netlink_socket create_socket_perms;
	allow container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
	allow container_domain self:netlink_kobject_uevent_socket create_socket_perms;
', `
	logging_dontaudit_send_audit_msgs(container_domain)
')

tunable_policy(`virt_sandbox_use_audit',`
	logging_send_audit_msgs(container_t)
')

optional_policy(`
	gen_require(`
		type sysctl_kernel_ns_last_pid_t;
	')

	kernel_search_network_sysctl(container_domain)
	allow container_domain sysctl_kernel_ns_last_pid_t:file rw_file_perms;
	allow container_domain sysctl_kernel_ns_last_pid_t:dir list_dir_perms;
')

tunable_policy(`virt_sandbox_use_all_caps',`
	allow container_domain self:capability ~{ sys_module };
	allow container_domain self:capability2 ~{ mac_override mac_admin };
	allow container_domain self:cap_userns ~{ sys_module };
	allow container_domain self:cap2_userns ~{ mac_override mac_admin };
')

tunable_policy(`virt_sandbox_use_mknod',`
	allow container_domain self:capability mknod;
	allow container_domain self:cap_userns mknod;
')

optional_policy(`
	gen_require(`
		role unconfined_r;
		type unconfined_service_t;
		type unconfined_service_exec_t;
	')

	virt_transition_svirt_sandbox(unconfined_service_t, system_r)
	container_filetrans_named_content(unconfined_service_t)
	container_runtime_domtrans(unconfined_service_t)
	role_transition unconfined_r unconfined_service_exec_t system_r;
	allow container_runtime_domain unconfined_service_t:fifo_file setattr;
	allow unconfined_service_t container_domain:process dyntransition;
	allow unconfined_service_t unlabeled_t:key manage_key_perms;
')

optional_policy(`
	gen_require(`
		attribute unconfined_domain_type;
	')

	container_filetrans_named_content(unconfined_domain_type)
	allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition };
       allow unconfined_domain_type unlabeled_t:key manage_key_perms;
')

#
# container_userns_t policy
#
container_domain_template(container_userns, container)

typeattribute  container_userns_t sandbox_net_domain, container_user_domain;
dev_mount_sysfs_fs(container_userns_t)
dev_mounton_sysfs(container_userns_t)

fs_mount_tmpfs(container_userns_t)
fs_unmount_tmpfs(container_userns_t)
fs_relabelfrom_tmpfs(container_userns_t)
fs_remount_cgroup(container_userns_t)

kernel_mount_proc(container_userns_t)
kernel_mounton_proc(container_userns_t)

term_use_generic_ptys(container_userns_t)
term_setattr_generic_ptys(container_userns_t)
term_mount_pty_fs(container_userns_t)

allow container_userns_t self:capability ~{ sys_module };
allow container_userns_t self:capability2 ~{ mac_override mac_admin };
allow container_userns_t self:cap_userns ~{ sys_module };
allow container_userns_t self:cap2_userns ~{ mac_override mac_admin };
allow container_userns_t self:capability mknod;
allow container_userns_t self:cap_userns mknod;

optional_policy(`
	gen_require(`
		type proc_t, proc_kcore_t;
		type sysctl_t, sysctl_irq_t;
	')

	allow container_userns_t proc_t:filesystem { remount };
	allow container_userns_t proc_kcore_t:file mounton;
	allow container_userns_t sysctl_irq_t:dir mounton;
	allow container_userns_t sysctl_t:dir mounton;
	allow container_userns_t sysctl_t:file mounton;
')


tunable_policy(`virt_sandbox_use_sys_admin',`
	allow container_userns_t self:capability sys_admin;
	allow container_userns_t self:cap_userns sys_admin;
')

# Container Logreader
container_domain_template(container_logreader, container)
typeattribute container_logreader_t container_net_domain;
logging_read_all_logs(container_logreader_t)
# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges
allow container_logreader_t logfile:lnk_file read_lnk_file_perms;
logging_read_audit_log(container_logreader_t)
logging_list_logs(container_logreader_t)

# Container Logwriter
container_domain_template(container_logwriter, container)
typeattribute container_logwriter_t container_net_domain;
logging_read_all_logs(container_logwriter_t)
manage_files_pattern(container_logwriter_t, logfile, logfile)
manage_dirs_pattern(container_logwriter_t, logfile, logfile)
manage_lnk_files_pattern(container_logwriter_t, logfile, logfile)
logging_manage_audit_log(container_logwriter_t)

optional_policy(`
	gen_require(`
		type sysadm_t, staff_t, user_t;
		role sysadm_r, staff_r, user_r;
		attribute userdomain;
	')

	allow userdomain container_domain:process transition;

	can_exec(userdomain, container_runtime_exec_t)
	container_manage_files(userdomain)
	container_manage_share_dirs(userdomain)
	container_manage_share_files(userdomain)

	allow userdomain conmon_exec_t:file entrypoint;
	container_runtime_run(sysadm_t, sysadm_r)
	role sysadm_r types container_domain;
	role sysadm_r types spc_t;

	container_runtime_run(staff_t, staff_r)
	role staff_r types container_user_domain;

	allow userdomain self:cap_userns ~{ sys_module };
	container_read_state(userdomain)
	allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh };
	container_runtime_run(user_t, user_r)
	role user_r types container_user_domain;

	staff_role_change_to(system_r)

	allow staff_t container_runtime_t:process signal_perms;
	allow staff_t container_domain:process signal_perms;
	allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt };
')

gen_require(`
	type init_t;
')
container_manage_lib_files(init_t)
container_manage_lib_dirs(init_t)
container_manage_share_files(init_t)
container_manage_share_dirs(init_t)
container_filetrans_named_content(init_t)
container_runtime_read_tmpfs_files(init_t)

gen_require(`
	attribute device_node;
	type device_t;
	attribute sysctl_type;
')
dontaudit container_domain device_node:chr_file setattr;
dontaudit container_domain sysctl_type:file write;
allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt };

allow container_t proc_t:filesystem remount;

# Container kvm - Policy for running kata containers
container_domain_template(container_kvm, container)
typeattribute container_kvm_t container_net_domain, container_user_domain;

type container_kvm_var_run_t;
files_pid_file(container_kvm_var_run_t)
filetrans_pattern(container_kvm_t, container_var_run_t, container_kvm_var_run_t, {file sock_file dir})
filetrans_pattern(container_runtime_t, container_var_run_t, container_kvm_var_run_t, dir, "kata-containers")

manage_dirs_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
manage_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
manage_fifo_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
manage_sock_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
manage_lnk_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t)
files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file })
files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file })
allow container_kvm_t container_kvm_var_run_t:{file dir} mounton;

allow container_kvm_t container_runtime_t:unix_stream_socket rw_stream_socket_perms;

container_stream_connect(container_kvm_t)

allow container_kvm_t container_runtime_t:tun_socket attach_queue;

dev_rw_inherited_vhost(container_kvm_t)
dev_rw_vfio_dev(container_kvm_t)

corenet_rw_inherited_tun_tap_dev(container_kvm_t)
corecmd_exec_shell(container_kvm_t)
corecmd_exec_bin(container_kvm_t)
corecmd_bin_entry_type(container_kvm_t)

# virtiofs causes these AVC messages.
kernel_mount_proc(container_kvm_t)
kernel_mounton_proc(container_kvm_t)
kernel_unmount_proc(container_kvm_t)
kernel_dgram_send(container_kvm_t)
files_mounton_rootfs(container_kvm_t)

auth_read_passwd(container_kvm_t)
logging_send_syslog_msg(container_kvm_t)

optional_policy(`
	qemu_entry_type(container_kvm_t)
	qemu_exec(container_kvm_t)
	allow container_kvm_t qemu_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
')

manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t)

dev_rw_kvm(container_kvm_t)

sssd_read_public_files(container_kvm_t)

# Container init - Policy for running systemd based containers
container_domain_template(container_init, container)
typeattribute container_init_t container_init_domain, container_net_domain, container_user_domain;

corenet_unconfined(container_init_t)

allow container_init_t device_t:filesystem { remount unmount };

dev_mounton_sysfs(container_init_domain)

fs_manage_cgroup_dirs(container_init_domain)
fs_manage_cgroup_files(container_init_domain)
fs_mounton_cgroup(container_init_domain)
fs_unmount_cgroup(container_init_domain)
fs_unmount_tmpfs(container_init_domain)

kernel_mounton_proc(container_init_t)
kernel_unmount_proc(container_init_t)

logging_send_syslog_msg(container_init_t)

allow container_init_domain proc_t:filesystem remount;

optional_policy(`
	virt_default_capabilities(container_init_t)
')

tunable_policy(`container_use_devices',`
	allow container_domain device_node:chr_file {rw_chr_file_perms map};
	allow container_domain device_node:blk_file {rw_blk_file_perms map};
')

tunable_policy(`container_use_xserver_devices',`
	dev_getattr_xserver_misc_dev(container_t)
	dev_rw_xserver_misc(container_t)
')

tunable_policy(`container_use_dri_devices',`
	dev_rw_dri(container_domain)
')

tunable_policy(`virt_sandbox_use_sys_admin',`
	allow container_init_t self:capability sys_admin;
	allow container_init_t self:cap_userns sys_admin;
')

allow container_init_domain self:netlink_audit_socket nlmsg_relay;

# container_engine_t is for running a container engine within a container
#
container_domain_template(container_engine, container)
typeattribute container_engine_t container_net_domain;

fs_mounton_cgroup(container_engine_t)
fs_unmount_cgroup(container_engine_t)
fs_manage_cgroup_dirs(container_engine_t)
fs_manage_cgroup_files(container_engine_t)
fs_write_cgroup_files(container_engine_t)
fs_remount_cgroup(container_engine_t)
fs_mount_all_fs(container_engine_t)
fs_remount_all_fs(container_engine_t)
fs_unmount_all_fs(container_engine_t)
kernel_mounton_all_sysctls(container_engine_t)
kernel_mount_proc(container_engine_t)
kernel_mounton_proc(container_engine_t)
kernel_mounton_core_if(container_engine_t)
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
term_mount_pty_fs(container_engine_t)
term_use_generic_ptys(container_engine_t)

allow container_engine_t container_file_t:chr_file mounton;
allow container_engine_t filesystem_type:{dir file} mounton;
allow container_engine_t proc_kcore_t:file mounton;
allow container_engine_t proc_t:filesystem remount;
allow container_engine_t sysctl_t:{dir file} mounton;
allow container_engine_t fusefs_t:dir { relabelfrom relabelto };
allow container_engine_t fusefs_t:file relabelto;
allow container_engine_t kernel_t:system module_request;
allow container_engine_t null_device_t:chr_file mounton;
allow container_engine_t random_device_t:chr_file mounton;
allow container_engine_t self:netlink_tcpdiag_socket nlmsg_read;
allow container_engine_t urandom_device_t:chr_file mounton;
allow container_engine_t zero_device_t:chr_file mounton;

manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)

optional_policy(`
	gen_require(`
		type devtty_t;
	')
	allow container_engine_t devtty_t:chr_file mounton;
')

type kubelet_t, container_runtime_domain;
domain_type(kubelet_t)

optional_policy(`
	gen_require(`
		role unconfined_r;
	')
	role unconfined_r types kubelet_t;
	unconfined_domain(kubelet_t)
')

manage_chr_files_pattern(container_engine_t, fusefs_t, fusefs_t)

type kubelet_exec_t;
application_executable_file(kubelet_exec_t)
can_exec(container_runtime_t, kubelet_exec_t)
allow kubelet_t kubelet_exec_t:file entrypoint;

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
	init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh)
')
mls_trusted_object(kubelet_t)

init_daemon_domain(kubelet_t, kubelet_exec_t)

admin_pattern(kubelet_t, kubernetes_file_t)

optional_policy(`
	gen_require(`
		type sysadm_t;
		role sysadm_r;
		role unconfined_r;
	')

	container_kubelet_run(sysadm_t, sysadm_r)

	unconfined_run_to(kubelet_t, kubelet_exec_t)
	role_transition unconfined_r kubelet_exec_t system_r;
')

# Standard container which needs to be allowed to use any device
container_domain_template(container_device, container)
allow container_device_t device_node:chr_file rw_chr_file_perms;

# Standard container which needs to be allowed to use any device and
# communicate with kubelet
container_domain_template(container_device_plugin, container)
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
kernel_read_debugfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)

# Standard container which needs to be allowed to use any device and
# modify kubelet configuration
container_domain_template(container_device_plugin_init, container)
allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_init_t)
manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)

optional_policy(`
	gen_require(`
		type syslogd_t;
	')

	allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
	logging_send_syslog_msg(container_runtime_t)
')


manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)

tunable_policy(`sshd_launch_containers',`
	gen_require(`
		type sshd_t;
		type systemd_logind_t;
		type iptables_var_run_t;
	')

	container_runtime_domtrans(sshd_t)
	dontaudit systemd_logind_t iptables_var_run_t:dir read;
')

role container_user_r;
userdom_restricted_user_template(container_user)
userdom_manage_home_role(container_user_r, container_user_t)

allow container_user_t container_domain:process { getattr getcap getsched sigchld sigkill signal signull sigstop };

role container_user_r types container_domain;
role container_user_r types container_user_domain;
role container_user_r types container_net_domain;
role container_user_r types container_file_type;
container_runtime_run(container_user_t, container_user_r)
unconfined_role_change_to(container_user_r)

container_use_ptys(container_user_t)

fs_manage_cgroup_dirs(container_user_t)
fs_manage_cgroup_files(container_user_t)

selinux_compute_access_vector(container_user_t)
systemd_dbus_chat_hostnamed(container_user_t)
systemd_start_systemd_services(container_user_t)

allow container_runtime_t container_user_t:process transition;
allow container_runtime_t container_user_t:process2 nnp_transition;
allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms;

allow container_user_t container_file_t:chr_file manage_chr_file_perms;
allow container_user_t container_file_t:file entrypoint;

allow container_domain container_file_t:file entrypoint;
allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read };
allow container_domain container_var_lib_t:file entrypoint;
allow container_domain fusefs_t:file { append create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open read rename setattr unlink watch watch_reads write };

corecmd_entrypoint_all_executables(container_kvm_t)
allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow svirt_sandbox_domain mountpoint:file entrypoint;

tunable_policy(`deny_ptrace',`',`
	allow container_domain self:process ptrace;
	allow spc_t self:process ptrace;
')
openSUSE Build Service is sponsored by