Policy for containers
false
Allow containers to manage cgroups. This is required for systemd to run inside containers.
false
Allow container engines to mount on all non-security files.
false
Allow containers to use NFS filesystems.
false
Allow containers to use CIFS filesystems.
All of the rules required to administrate a container environment.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| role |
Role allowed access. |
Allow the specified domain to create objects in an xdg_config directory with an automatic type transition to the container config home type.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| object |
The object class of the object being created. |
| name |
The name of the object being created. |
Allow the specified domain to perform a type transition to container domains.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed to transition. |
Execute generic container engines in the container engine domain.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed to transition. |
Do not audit attempts to read and write container chr files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Send and receive messages from container engines over dbus.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the generic container engine executables to be an entrypoint for the specified domain.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Make the specified type usable for files that are executables for container engines.
| Parameter: | Description: |
|---|---|
| type |
Type to be used for files. |
Allow the specified domain to create objects in generic temporary directories with an automatic type transition to the container engine temporary file type.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| object |
The object class of the object being created. |
| name |
The name of the object being created. |
Allow the specified domain to create container files in the root directory with a type transition.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Execute a generic container engine executable with an automatic transition to a private type.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed to transition. |
| target_domain |
The type of the new process. |
Allow the specified domain to get the attributes of container filesystems.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
All of the permissions necessary for a container engine to manage container processes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container chr files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container config files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container file directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container engine temporary files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container engine temporary named sockets.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container fifo files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container config home content.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container data home named pipes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container data home files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container data home named sockets.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container lnk files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage runtime container named pipes.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage runtime container files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage runtime container named sockets.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container sock files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage user runtime container files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container named pipes in /var/lib.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container files in /var/lib.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to manage container named sockets in /var/lib.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Make the specified type usable as a mountpoint for containers.
| Parameter: | Description: |
|---|---|
| file_type |
Type to be used as a mountpoint. |
Read the process state (/proc/pid) of all system containers.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Read the process state (/proc/pid) of all user containers.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to relabel container files and directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to relabel container filesystems.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Execute generic container engines in the container engine domain, and allow the specified role the container domain.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed to transition |
| role |
The role to be allowed the container domain. |
Allow the specified domain to be started by systemd socket activation using a named socket labeled the container runtime type.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to read and write container chr files.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to read and write user runtime container named sockets.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to search runtime container directories.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to search container directories in /var/lib.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Set the attributes of container ptys.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to send all signals to a container domain.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed to transition. |
Connect to a container domain over a unix stream socket.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Connect to a system container domain over a unix stream socket.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Connect to a user container domain over a unix stream socket.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified container engine domain all the rules required to function as a system container engine.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified domain to create objects in unlabeled directories with an automatic type transition to the container var lib type.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
| object |
The object class of the object being created. |
| name |
The name of the object being created. |
Read and write container ptys.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Allow the specified container engine domain all the rules required to function as a user container engine.
| Parameter: | Description: |
|---|---|
| domain |
Domain allowed access. |
Base role access for containers. This grants all the rules necessary for common container usage.
| Parameter: | Description: |
|---|---|
| role_prefix |
The prefix of the user role (e.g., user is the prefix for user_r). |
| user_domain |
User domain for the role. |
| user_exec_domain |
User exec domain for execute and transition access. |
| role |
Role allowed access. |
The template to define a container domain.
| Parameter: | Description: |
|---|---|
| domain_prefix |
Domain prefix to be used. |
The template to define a container engine domain.
| Parameter: | Description: |
|---|---|
| domain_prefix |
Domain prefix to be used. |
Role access for system containers.
| Parameter: | Description: |
|---|---|
| role_prefix |
The prefix of the user role (e.g., user is the prefix for user_r). |
| user_domain |
User domain for the role. |
| user_exec_domain |
User exec domain for execute and transition access. |
| role |
Role allowed access. |
Role access for user containers.
| Parameter: | Description: |
|---|---|
| role_prefix |
The prefix of the user role (e.g., user is the prefix for user_r). |
| user_domain |
User domain for the role. |
| user_exec_domain |
User exec domain for execute and transition access. |
| role |
Role allowed access. |