Layer: services

Module: container

Tunables Interfaces Templates

Description:

Policy for containers

Tunables:

container_manage_cgroup

Default value

false

Description

Allow containers to manage cgroups. This is required for systemd to run inside containers.

container_manage_public_content

Default value

false

Description

Allow containers to manage all read-writable public content.

container_mounton_non_security

Default value

false

Description

Allow container engines to mount on all non-security files.

container_read_public_content

Default value

false

Description

Allow containers to read all public content.

container_spc_create_nfs_servers

Default value

false

Description

Allow super privileged containers to create NFS servers.

container_spc_use_tun_tap_dev

Default value

false

Description

Allow super privileged containers to use tun-tap devices.

container_use_dri

Default value

false

Description

Allow containers to use direct rendering devices.

container_use_ecryptfs

Default value

false

Description

Allow containers to use eCryptfs filesystems.

container_use_host_all_caps

Default value

false

Description

Allow containers to use all capabilities in a non-namespaced context for various privileged operations directly on the host.

container_use_hugetlbfs

Default value

false

Description

Allow containers to use huge pages.

container_use_mknod

Default value

false

Description

Allow containers to use the mknod syscall, e.g. for creating special device files.

container_use_nfs

Default value

false

Description

Allow containers to use NFS filesystems.

container_use_samba

Default value

false

Description

Allow containers to use CIFS filesystems.

container_use_sysadmin

Default value

false

Description

Allow containers to use the sysadmin capability, e.g. for mounting filesystems.

container_use_userns_all_caps

Default value

false

Description

Allow containers to use all capabilities in a namespaced context for various privileged operations within the container itself.

container_use_userns_mknod

Default value

false

Description

Allow containers to use the mknod syscall in a namespaced context, e.g. for creating special device files within the container itself.

container_use_userns_sysadmin

Default value

false

Description

Allow containers to use the sysadmin capability in a namespaced context, e.g. for mounting filesystems within the container itself.

Return

Interfaces:

container_admin(
	
		domain
		
			,
		
		role
		
	)

Summary

All of the rules required to administrate a container environment.

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	Role allowed access.

container_admin_all_files(
	
		domain
		
	)

Summary

Administrate all container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_admin_all_ro_files(
	
		domain
		
	)

Summary

Administrate all container read-only files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_admin_all_user_runtime_content(
	
		domain
		
	)

Summary

All of the rules necessary for a user to manage user container runtime data in their user runtime directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_append_log_files(
	
		domain
		
	)

Summary

Allow the specified domain to append data to container log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_config_home_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in an xdg_config directory with an automatic type transition to the container config home type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_create_config_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to create container config directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_create_config_files(
	
		domain
		
	)

Summary

Allow the specified domain to create container config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_create_log_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to create container log file directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_create_log_files(
	
		domain
		
	)

Summary

Allow the specified domain to create container log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_create_runtime_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to create runtime container directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_dev_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Create objects in /dev with an automatic transition to the container device type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_domtrans(
	
		domain
		
	)

Summary

Allow the specified domain to perform a type transition to container domains.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

container_domtrans_generic_engine(
	
		domain
		
	)

Summary

Execute generic container engines in the container engine domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

container_dontaudit_relabel_dirs(
	
		domain
		
	)

Summary

Do not audit attempts to relabel container file directories.

Parameters

Parameter:	Description:
domain	Domain to not audit.

container_dontaudit_relabel_files(
	
		domain
		
	)

Summary

Do not audit attempts to relabel container files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

container_dontaudit_rw_chr_files(
	
		domain
		
	)

Summary

Do not audit attempts to read and write container chr files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_engine_dbus_chat(
	
		domain
		
	)

Summary

Send and receive messages from container engines over dbus.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_engine_executable_entrypoint(
	
		domain
		
	)

Summary

Allow the generic container engine executables to be an entrypoint for the specified domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_engine_executable_file(
	
		type
		
	)

Summary

Make the specified type usable for files that are executables for container engines.

Parameters

Parameter:	Description:
type	Type to be used for files.

container_engine_tmp_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in generic temporary directories with an automatic type transition to the container engine temporary file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_exec_plugins(
	
		domain
		
	)

Summary

Allow the specified domain to execute container plugins.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_file_root_filetrans(
	
		domain
		
	)

Summary

Allow the specified domain to create container files in the root directory with a type transition.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_filetrans_var_lib_file(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in container /var/lib directories with an automatic transition to the container file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_fusefs_domtrans_spc(
	
		domain
		
	)

Summary

Execute FUSEFS files with a type transition to the super privileged container type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_generic_engine_domtrans(
	
		domain
		
			,
		
		target_domain
		
	)

Summary

Execute a generic container engine executable with an automatic transition to a private type.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
target_domain	The type of the new process.

container_getattr_all_files(
	
		domain
		
	)

Summary

Allow the specified domain to get the attributes of all container file objects.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_getattr_all_ro_chr_files(
	
		domain
		
	)

Summary

Allow the specified domain to get the attributes of all read-only container file character devices.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_getattr_all_ro_files(
	
		domain
		
	)

Summary

Allow the specified domain to get the attributes of all read-only container file objects.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_getattr_all_var_lib_files(
	
		domain
		
	)

Summary

Allow the specified domain to get the attributes of all container var lib objects.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_getattr_device_blk_files(
	
		domain
		
	)

Summary

Get the attributes of container device block files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_getattr_fs(
	
		domain
		
	)

Summary

Allow the specified domain to get the attributes of container filesystems.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_getattr_runtime_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to get the attributes runtime container of container runtime named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_ioctl_files(
	
		domain
		
	)

Summary

IOCTL container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_kill_all_containers(
	
		domain
		
	)

Summary

Allow the specified domain to send a kill signal to all containers.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

container_list_log_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to list the contents of container log directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_list_plugin_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to list the contents of container plugin directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_list_ro_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to list the contents of read-only container file directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_list_var_lib(
	
		domain
		
	)

Summary

Allow the specified domain to list the contents of container directories in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_log_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in log directories with an automatic transition to the container log type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_manage_all_containers(
	
		domain
		
	)

Summary

All of the permissions necessary for a container engine to manage container processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_all_home_content(
	
		domain
		
	)

Summary

All of the rules necessary for a user to manage container data in their home directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_chr_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container chr files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_config_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_device_files(
	
		domain
		
	)

Summary

Manage container device files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to manage container file directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_engine_tmp_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container engine temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_engine_tmp_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container engine temporary named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container fifo files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_home_config(
	
		domain
		
	)

Summary

Allow the specified domain to manage container config home content.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_home_data_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container data home named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_home_data_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container data home files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_home_data_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container data home named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_lnk_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container lnk files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_log_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to manage container log file directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_log_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_log_symlinks(
	
		domain
		
	)

Summary

Allow the specified domain to manage container log symlinks.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_plugin_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container plugin files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_runtime_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage runtime container named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_runtime_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage runtime container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_runtime_lnk_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage runtime container symlinks.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_runtime_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage runtime container named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container sock files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_user_runtime_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage user runtime container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_var_lib_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to manage container file directories in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_var_lib_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container named pipes in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_var_lib_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container files in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_var_lib_lnk_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container symlinks in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_var_lib_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container named sockets in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_map_var_lib_files(
	
		domain
		
	)

Summary

Allow the specified domain to memory map container files in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_mounton_all_devices(
	
		domain
		
	)

Summary

Mount on all container devices.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_mountpoint(
	
		file_type
		
	)

Summary

Make the specified type usable as a mountpoint for containers.

Parameters

Parameter:	Description:
file_type	Type to be used as a mountpoint.

container_read_all_container_engine_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all container engines.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_all_container_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all containers.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_config(
	
		domain
		
	)

Summary

Allow the specified domain to read container config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_device_blk_files(
	
		domain
		
	)

Summary

Read container device block files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_engine_tmp_files(
	
		domain
		
	)

Summary

Allow the specified domain to read container engine temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_home_config(
	
		domain
		
	)

Summary

Read container config home content.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_runtime_files(
	
		domain
		
	)

Summary

Allow the specified domain to read runtime container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_system_container_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all system containers.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_user_container_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all user containers.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_var_lib_files(
	
		domain
		
	)

Summary

Allow the specified domain to read container files in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_relabel_all_content(
	
		domain
		
	)

Summary

Allow the specified domain to relabel container files and directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_relabel_fs(
	
		domain
		
	)

Summary

Allow the specified domain to relabel container filesystems.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_remount_fs(
	
		domain
		
	)

Summary

Allow the specified domain to remount container filesystems.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_run_generic_engine(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute generic container engines in the container engine domain, and allow the specified role the container domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition
role	The role to be allowed the container domain.

container_runtime_named_socket_activation(
	
		domain
		
	)

Summary

Allow the specified domain to be started by systemd socket activation using a named socket labeled the container runtime type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_rw_chr_files(
	
		domain
		
	)

Summary

Allow the specified domain to read and write container chr files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_rw_config_files(
	
		domain
		
	)

Summary

Allow the specified domain to read and write container config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_rw_device_files(
	
		domain
		
	)

Summary

Read and write container device files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_rw_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to read and write container fifo files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_rw_spc_tcp_sockets(
	
		domain
		
	)

Summary

Read and write super privileged container TCP sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_rw_user_runtime_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to read and write user runtime container named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_search_config(
	
		domain
		
	)

Summary

Allow the specified domain to search container config directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_search_engine_tmp(
	
		domain
		
	)

Summary

Allow the specified domain to search container engine temporary directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_search_logs(
	
		domain
		
	)

Summary

Allow the specified domain to search container log file directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_search_runtime(
	
		domain
		
	)

Summary

Allow the specified domain to search runtime container directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_search_var_lib(
	
		domain
		
	)

Summary

Allow the specified domain to search container directories in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_setattr_container_ptys(
	
		domain
		
	)

Summary

Set the attributes of container ptys.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_signal_all_containers(
	
		domain
		
	)

Summary

Allow the specified domain to send all signals to a container domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

container_signal_system_containers(
	
		domain
		
	)

Summary

Send signals to a system container.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_spec_filetrans_file(
	
		domain
		
			,
		
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in specified directories with an automatic type transition to the container file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
domain	Directory to transition on.
object	The object class of the object being created.
name	The name of the object being created.

container_start_units(
	
		domain
		
	)

Summary

Allow the specified domain to start systemd units for containers.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_all_containers(
	
		domain
		
	)

Summary

Connect to a container domain over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_spc(
	
		domain
		
	)

Summary

Connect to super privileged containers over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_spec_container(
	
		domain
		
	)

Summary

Connect to the specified container domain over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_system_containers(
	
		domain
		
	)

Summary

Connect to a system container domain over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_system_engine(
	
		domain
		
	)

Summary

Connect to a system container engine domain over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_user_containers(
	
		domain
		
	)

Summary

Connect to a user container domain over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_system_engine(
	
		domain
		
	)

Summary

Allow the specified container engine domain all the rules required to function as a system container engine.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_unlabeled_var_lib_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in unlabeled directories with an automatic type transition to the container var lib type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_use_container_ptys(
	
		domain
		
	)

Summary

Read and write container ptys.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_user_engine(
	
		domain
		
	)

Summary

Allow the specified container engine domain all the rules required to function as a user container engine.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_var_lib_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in /var/lib with an automatic transition to the container var lib type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_var_lib_filetrans_file(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in /var/lib with an automatic transition to the container file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_watch_config_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to watch container config directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_watch_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to watch container file directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_watch_log_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to watch container log file directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_watch_log_files(
	
		domain
		
	)

Summary

Allow the specified domain to watch container log files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_watch_plugin_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to add a watch on container plugin directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

Return

Templates:

container_base_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Base role access for containers. This grants all the rules necessary for common container usage.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access.

container_domain_template(
	
		domain_prefix
		
	)

Summary

The template to define a container domain.

Parameters

Parameter:	Description:
domain_prefix	Domain prefix to be used.

container_engine_domain_template(
	
		domain_prefix
		
	)

Summary

The template to define a container engine domain.

Parameters

Parameter:	Description:
domain_prefix	Domain prefix to be used.

container_system_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Role access for system containers.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access.

container_unconfined_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Unconfined role access for containers.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access.

container_user_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Role access for user containers.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access.

Return