Layer: services

Module: container

Tunables Interfaces Templates

Description:

Policy for containers

Tunables:

container_manage_cgroup

Default value

false

Description

Allow containers to manage cgroups. This is required for systemd to run inside containers.

container_manage_public_content

Default value

false

Description

Allow containers to manage all read-writable public content.

container_mounton_non_security

Default value

false

Description

Allow container engines to mount on all non-security files.

container_read_public_content

Default value

false

Description

Allow containers to read all public content.

container_use_ecryptfs

Default value

false

Description

Allow containers to use eCryptfs filesystems.

container_use_nfs

Default value

false

Description

Allow containers to use NFS filesystems.

container_use_samba

Default value

false

Description

Allow containers to use CIFS filesystems.

Return

Interfaces:

container_admin(
	
		domain
		
			,
		
		role
		
	)

Summary

All of the rules required to administrate a container environment.

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	Role allowed access.

container_admin_all_files(
	
		domain
		
	)

Summary

Administrate all container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_admin_all_ro_files(
	
		domain
		
	)

Summary

Administrate all container read-only files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_admin_all_user_runtime_content(
	
		domain
		
	)

Summary

All of the rules necessary for a user to manage user container runtime data in their user runtime directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_config_home_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in an xdg_config directory with an automatic type transition to the container config home type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_create_config_files(
	
		domain
		
	)

Summary

Allow the specified domain to create container config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_domtrans(
	
		domain
		
	)

Summary

Allow the specified domain to perform a type transition to container domains.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

container_domtrans_generic_engine(
	
		domain
		
	)

Summary

Execute generic container engines in the container engine domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

container_dontaudit_rw_chr_files(
	
		domain
		
	)

Summary

Do not audit attempts to read and write container chr files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_engine_dbus_chat(
	
		domain
		
	)

Summary

Send and receive messages from container engines over dbus.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_engine_executable_entrypoint(
	
		domain
		
	)

Summary

Allow the generic container engine executables to be an entrypoint for the specified domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_engine_executable_file(
	
		type
		
	)

Summary

Make the specified type usable for files that are executables for container engines.

Parameters

Parameter:	Description:
type	Type to be used for files.

container_engine_tmp_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in generic temporary directories with an automatic type transition to the container engine temporary file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_file_root_filetrans(
	
		domain
		
	)

Summary

Allow the specified domain to create container files in the root directory with a type transition.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_generic_engine_domtrans(
	
		domain
		
			,
		
		target_domain
		
	)

Summary

Execute a generic container engine executable with an automatic transition to a private type.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
target_domain	The type of the new process.

container_getattr_fs(
	
		domain
		
	)

Summary

Allow the specified domain to get the attributes of container filesystems.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_all_containers(
	
		domain
		
	)

Summary

All of the permissions necessary for a container engine to manage container processes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_all_home_content(
	
		domain
		
	)

Summary

All of the rules necessary for a user to manage container data in their home directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_chr_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container chr files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_config_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to manage container file directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_engine_tmp_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container engine temporary files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_engine_tmp_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container engine temporary named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container fifo files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_home_config(
	
		domain
		
	)

Summary

Allow the specified domain to manage container config home content.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_home_data_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container data home named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_home_data_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container data home files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_home_data_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container data home named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_lnk_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container lnk files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_runtime_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage runtime container named pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_runtime_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage runtime container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_runtime_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage runtime container named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container sock files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_user_runtime_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage user runtime container files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_var_lib_fifo_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container named pipes in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_var_lib_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container files in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_manage_var_lib_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage container named sockets in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_mountpoint(
	
		file_type
		
	)

Summary

Make the specified type usable as a mountpoint for containers.

Parameters

Parameter:	Description:
file_type	Type to be used as a mountpoint.

container_read_system_container_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all system containers.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_read_user_container_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of all user containers.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_relabel_all_content(
	
		domain
		
	)

Summary

Allow the specified domain to relabel container files and directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_relabel_fs(
	
		domain
		
	)

Summary

Allow the specified domain to relabel container filesystems.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_remount_fs(
	
		domain
		
	)

Summary

Allow the specified domain to remount container filesystems.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_run_generic_engine(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute generic container engines in the container engine domain, and allow the specified role the container domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition
role	The role to be allowed the container domain.

container_runtime_named_socket_activation(
	
		domain
		
	)

Summary

Allow the specified domain to be started by systemd socket activation using a named socket labeled the container runtime type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_rw_chr_files(
	
		domain
		
	)

Summary

Allow the specified domain to read and write container chr files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_rw_user_runtime_sock_files(
	
		domain
		
	)

Summary

Allow the specified domain to read and write user runtime container named sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_search_runtime(
	
		domain
		
	)

Summary

Allow the specified domain to search runtime container directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_search_var_lib(
	
		domain
		
	)

Summary

Allow the specified domain to search container directories in /var/lib.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_setattr_container_ptys(
	
		domain
		
	)

Summary

Set the attributes of container ptys.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_signal_all_containers(
	
		domain
		
	)

Summary

Allow the specified domain to send all signals to a container domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

container_start_units(
	
		domain
		
	)

Summary

Allow the specified domain to start systemd units for containers.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_all_containers(
	
		domain
		
	)

Summary

Connect to a container domain over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_system_containers(
	
		domain
		
	)

Summary

Connect to a system container domain over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_stream_connect_user_containers(
	
		domain
		
	)

Summary

Connect to a user container domain over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_system_engine(
	
		domain
		
	)

Summary

Allow the specified container engine domain all the rules required to function as a system container engine.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_unlabeled_var_lib_filetrans(
	
		domain
		
			,
		
		object
		
			,
		
		name
		
	)

Summary

Allow the specified domain to create objects in unlabeled directories with an automatic type transition to the container var lib type.

Parameters

Parameter:	Description:
domain	Domain allowed access.
object	The object class of the object being created.
name	The name of the object being created.

container_use_container_ptys(
	
		domain
		
	)

Summary

Read and write container ptys.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_user_engine(
	
		domain
		
	)

Summary

Allow the specified container engine domain all the rules required to function as a user container engine.

Parameters

Parameter:	Description:
domain	Domain allowed access.

container_write_config_files(
	
		domain
		
	)

Summary

Allow the specified domain to write container config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

Return

Templates:

container_base_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Base role access for containers. This grants all the rules necessary for common container usage.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access.

container_domain_template(
	
		domain_prefix
		
	)

Summary

The template to define a container domain.

Parameters

Parameter:	Description:
domain_prefix	Domain prefix to be used.

container_engine_domain_template(
	
		domain_prefix
		
	)

Summary

The template to define a container engine domain.

Parameters

Parameter:	Description:
domain_prefix	Domain prefix to be used.

container_system_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Role access for system containers.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access.

container_unconfined_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Unconfined role access for containers.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access.

container_user_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Role access for user containers.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access.

Return