forked from containers/qm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathqm.te
498 lines (426 loc) · 20.8 KB
/
qm.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
policy_module(qm, 0.1.0)
gen_require(`
class dbus { send_msg acquire_svc };
class passwd rootok;
attribute container_domain;
attribute filesystem_type;
attribute container_init_domain;
attribute container_net_domain;
attribute container_user_domain;
attribute unconfined_domain_type;
type cgroup_t;
type container_runtime_t;
type devpts_t;
type fusefs_t;
type hugetlbfs_t;
type init_t;
type iptables_t;
type mtrr_device_t;
type proc_kcore_t;
type proc_kmsg_t;
type proc_t;
type sysctl_irq_t;
type sysctl_t;
type system_dbusd_t;
type systemd_logind_t;
type systemd_machined_t;
type unconfined_service_t;
type bpf_t;
type container_devpts_t;
type net_conf_t;
')
type qm_t;
domain_type(qm_t)
role system_r types qm_t;
init_initrc_domain(qm_t)
container_use_ptys(qm_t)
attribute qm_file_type;
allow qm_file_type self:filesystem associate;
allow qm_file_t devpts_t:filesystem associate;
type qm_file_t, qm_file_type;
files_type(qm_file_t)
files_mountpoint(qm_file_t)
type qm_container_var_lib_t, qm_file_type;
files_mountpoint(qm_container_var_lib_t)
type qm_container_ro_file_t, qm_file_type;
files_mountpoint(qm_container_ro_file_t)
allow qm_t qm_file_type:file { execmod relabelfrom relabelto map entrypoint mounton };
allow qm_t qm_file_type:dir_file_class_set { relabelfrom relabelto };
manage_files_pattern(qm_t, qm_file_type, qm_file_type)
can_exec(qm_t, qm_file_type)
allow qm_t qm_file_type:chr_file mounton;
manage_blk_files_pattern(qm_t, qm_file_type, qm_file_type)
manage_chr_files_pattern(qm_t, qm_file_type, qm_file_type)
manage_dirs_pattern(qm_t, qm_file_type, qm_file_type)
manage_fifo_files_pattern(qm_t, qm_file_type, qm_file_type)
manage_lnk_files_pattern(qm_t, qm_file_type, qm_file_type)
manage_sock_files_pattern(qm_t, qm_file_type, qm_file_type)
fs_tmpfs_filetrans(qm_t, qm_file_t, { dir file lnk_file })
allow qm_t qm_file_type:chr_file { watch watch_reads };
allow qm_t qm_file_type:dir { mounton relabelfrom relabelto };
allow qm_t qm_file_type:filesystem all_filesystem_perms;
allow qm_t qm_file_type:service all_service_perms;
manage_blk_files_pattern(init_t, qm_file_type, qm_file_type)
manage_chr_files_pattern(init_t, qm_file_type, qm_file_type)
manage_dirs_pattern(init_t, qm_file_type, qm_file_type)
manage_fifo_files_pattern(init_t, qm_file_type, qm_file_type)
manage_lnk_files_pattern(init_t, qm_file_type, qm_file_type)
manage_sock_files_pattern(init_t, qm_file_type, qm_file_type)
filetrans_pattern(qm_t, qm_file_t, qm_container_var_lib_t, dir, "containers")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, dir, "overlay")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, dir, "overlay-images")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, dir, "overlay-layers")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, dir, "overlay2")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, dir, "overlay2-imagess")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, dir, "overlay2-layers")
allow container_domain qm_container_ro_file_t:file execmod;
ps_process_pattern(systemd_machined_t, qm_t)
read_files_pattern(systemd_machined_t, qm_file_type, qm_file_type)
list_dirs_pattern(systemd_machined_t, qm_file_type, qm_file_type)
read_lnk_files_pattern(systemd_machined_t, qm_file_type, qm_file_type)
rw_sock_files_pattern(systemd_machined_t, qm_file_type, qm_file_type)
manage_chr_files_pattern(systemd_machined_t, qm_file_type, qm_file_type)
allow systemd_machined_t qm_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow system_dbusd_t qm_file_type:chr_file { read write };
allow systemd_machined_t unconfined_service_t:dir search;
systemd_dbus_chat_machined(qm_t)
allow systemd_machined_t self:cap_userns kill;
ps_process_pattern(systemd_logind_t, qm_t)
manage_files_pattern(systemd_logind_t, qm_file_type, qm_file_type)
manage_dirs_pattern(systemd_logind_t, qm_file_type, qm_file_type)
manage_lnk_files_pattern(systemd_logind_t, qm_file_type, qm_file_type)
rw_sock_files_pattern(systemd_logind_t, qm_file_type, qm_file_type)
manage_chr_files_pattern(systemd_logind_t, qm_file_type, qm_file_type)
allow systemd_logind_t qm_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow system_dbusd_t qm_file_type:chr_file { read write };
allow qm_t self:system all_system_perms;
allow qm_t self:user_namespace all_user_namespace_perms;
allow qm_t self:bpf { map_create map_read map_write prog_load prog_run };
allow qm_t self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid kill net_bind_service net_admin net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace sys_resource };
allow qm_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill net_bind_service net_admin net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace sys_resource };
allow qm_t self:capability2 { audit_read bpf perfmon};
allow qm_t self:packet_socket create_socket_perms;
allow qm_t self:icmp_socket create_stream_socket_perms;
allow qm_t self:key { setattr write };
allow qm_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow qm_t self:dbus all_dbus_perms;
allow qm_t self:netlink_generic_socket create_socket_perms;
allow qm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow qm_t self:netlink_netfilter_socket create_socket_perms;
allow qm_t self:netlink_route_socket create_netlink_socket_perms;
allow qm_t self:netlink_selinux_socket create_socket_perms;
allow qm_t self:netlink_socket create_socket_perms;
allow qm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow qm_t self:process { getattr getcap getpgid getrlimit getsched setcap setexec setkeycreate setpgid setfscreate setrlimit setsockcreate setsched signal_perms };
allow qm_t self:rawip_socket create_stream_socket_perms;
allow qm_t self:tcp_socket create_stream_socket_perms;
allow qm_t self:udp_socket create_socket_perms;
allow qm_t self:unix_dgram_socket { sendto create_socket_perms };
allow qm_t self:unix_stream_socket { connectto rw_stream_socket_perms };
dontaudit qm_t net_conf_t:file manage_file_perms;
init_access_check(qm_t)
miscfiles_watch_localization_files(qm_t)
seutil_search_default_contexts(qm_t)
allow qm_t mtrr_device_t:file { getattr mounton };
allow qm_t proc_kcore_t:file { getattr mounton };
allow qm_t proc_kmsg_t:file { getattr mounton };
allow qm_t proc_t:file mounton;
allow qm_t sysctl_irq_t:dir { getattr mounton };
allow qm_t sysctl_t:file { getattr mounton };
allow qm_t cgroup_t:filesystem { getattr remount };
allow qm_t container_devpts_t:chr_file { watch watch_reads };
allow qm_t devpts_t:filesystem relabelfrom;
corenet_icmp_bind_generic_node(qm_t)
corenet_raw_bind_generic_node(qm_t)
corenet_rw_tun_tap_dev(qm_t)
corenet_sctp_bind_all_ports(qm_t)
corenet_sctp_connect_all_ports(qm_t)
corenet_tcp_bind_all_ports(qm_t)
corenet_tcp_bind_generic_node(qm_t)
corenet_tcp_connect_all_ports(qm_t)
corenet_tcp_sendrecv_all_ports(qm_t)
corenet_udp_bind_all_ports(qm_t)
corenet_udp_bind_generic_node(qm_t)
corenet_udp_sendrecv_all_ports(qm_t)
dev_list_sysfs(qm_t)
dev_mounton_sysfs(qm_t)
dev_mounton_sysfs(qm_t)
dev_read_sysfs(qm_t)
dev_remount_sysfs_fs(qm_t)
allow qm_t bpf_t:dir mounton;
allow qm_t container_runtime_t:fifo_file write;
files_getattr_all_blk_files(qm_t)
files_getattr_all_chr_files(qm_t)
files_getattr_all_dirs(qm_t)
files_getattr_all_file_type_fs(qm_t)
files_getattr_all_files(qm_t)
files_getattr_all_pipes(qm_t)
files_getattr_all_sockets(qm_t)
files_list_all(qm_t)
files_mounton_kernel_symbol_table(qm_t)
fs_all_mount_fs_perms_tmpfs(qm_t)
fs_all_mount_fs_perms_xattr_fs(qm_t)
fs_associate_cgroupfs(qm_file_t)
fs_getattr_all_fs(qm_t)
fs_list_all(qm_t)
fs_manage_cgroup_dirs(qm_t)
fs_manage_cgroup_files(qm_t)
fs_read_nsfs_files(qm_t)
fs_relabelfrom_tmpfs(qm_t)
fs_relabelfrom_xattr_fs(qm_t)
fs_search_tracefs_dirs(qm_t)
allow qm_t nsfs_t:filesystem { getattr unmount };
kernel_dontaudit_search_security_state(qm_t)
kernel_list_all_proc(qm_t)
kernel_mounton_core_if(qm_t)
kernel_mounton_kernel_sysctl(qm_t)
kernel_mounton_kernel_sysctl(qm_t)
kernel_mounton_messages(qm_t)
kernel_mounton_proc(qm_t)
kernel_mounton_proc(qm_t)
kernel_mounton_systemd_ProtectKernelTunables(qm_t)
kernel_mounton_systemd_ProtectKernelTunables(qm_t)
kernel_read_all_sysctls(qm_t)
kernel_read_fs_sysctls(qm_t)
kernel_read_net_sysctls(qm_t)
kernel_read_network_state(qm_t)
kernel_read_network_state_symlinks(qm_t)
kernel_read_proc_files(qm_t)
kernel_read_security_state(qm_t)
kernel_read_unix_sysctls(qm_t)
kernel_request_load_module(qm_t)
kernel_rw_fs_sysctls(qm_t)
kernel_rw_kernel_sysctl(qm_t)
kernel_rw_net_sysctls(qm_t)
kernel_rw_security_state(qm_t)
kernel_rw_unix_sysctls(qm_t)
kernel_rw_usermodehelper_state(qm_t)
dontaudit qm_t proc_security_t:file write;
allow qm_t filesystem_type:filesystem { mount remount unmount };
kernel_search_debugfs(qm_t)
unconfined_dgram_send(qm_t)
selinux_dontaudit_get_fs_mount(qm_t)
selinux_dontaudit_search_fs(qm_t)
selinux_setcheckreqprot(qm_t)
dontaudit qm_t security_t:file write;
sysnet_read_config(qm_t)
sysnet_write_config(qm_t)
term_search_ptys(qm_t)
term_use_generic_ptys(qm_t)
term_setattr_generic_ptys(qm_t)
dev_write_sysfs_dirs(qm_t)
allow qm_t security_t:dir read;
allow qm_t hugetlbfs_t:dir relabelfrom;
selinux_validate_context(qm_t)
selinux_compute_access_vector(qm_t)
selinux_compute_create_context(qm_t)
selinux_get_enforce_mode(qm_t)
allow container_runtime_t qm_t:process { dyntransition transition };
allow qm_t container_runtime_t:process sigchld;
allow container_runtime_t qm_t:process2 { nnp_transition nosuid_transition };
dontaudit container_runtime_t qm_t:process { noatsecure rlimitinh siginh };
manage_dirs_pattern(container_runtime_t, qm_file_type, qm_file_type)
manage_files_pattern(container_runtime_t, qm_file_type, qm_file_type)
manage_lnk_files_pattern(container_runtime_t, qm_file_type, qm_file_type)
read_files_pattern(iptables_t, qm_file_type, qm_file_type)
# ===================================================================
# QM Containers
#
attribute qm_container_domain;
allow qm_container_domain qm_t:fifo_file rw_inherited_fifo_file_perms;
allow qm_t qm_container_domain:process transition;
allow qm_t qm_container_domain:key manage_key_perms;
type qm_container_t, qm_container_domain;
domain_type(qm_container_t)
domain_user_exemption_target(qm_container_t)
container_manage_files_template(qm_container, qm_container)
type qm_container_file_t, qm_file_type;
files_type(qm_file_t)
files_mountpoint(qm_file_t)
fs_associate(qm_container_file_t)
allow qm_container_domain qm_file_type:file { execmod relabelfrom relabelto map entrypoint mounton };
# QM Container kvm - Policy for running kata containers
type qm_container_kvm_t, qm_container_domain;
domain_type(qm_container_kvm_t)
domain_user_exemption_target(qm_container_kvm_t)
typeattribute qm_container_kvm_t container_net_domain, container_user_domain;
container_manage_files_template(qm_container_kvm, qm_container)
type qm_container_kvm_var_run_t;
files_pid_file(qm_container_kvm_var_run_t)
filetrans_pattern(qm_container_kvm_t, container_var_run_t, qm_container_kvm_var_run_t, {file sock_file dir})
filetrans_pattern(qm_t, container_var_run_t, qm_container_kvm_var_run_t, dir, "kata-containers")
manage_dirs_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
manage_files_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
manage_fifo_files_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
manage_sock_files_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
manage_lnk_files_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
files_pid_filetrans(qm_container_kvm_t, qm_container_kvm_var_run_t, { dir file lnk_file sock_file })
files_pid_filetrans(qm_container_kvm_t, qm_container_kvm_var_run_t, { dir file lnk_file sock_file })
allow qm_container_kvm_t qm_container_kvm_var_run_t:{file dir} mounton;
allow qm_container_kvm_t qm_t:unix_stream_socket rw_stream_socket_perms;
container_stream_connect(qm_container_kvm_t)
allow qm_container_kvm_t qm_t:tun_socket attach_queue;
dev_rw_inherited_vhost(qm_container_kvm_t)
dev_rw_vfio_dev(qm_container_kvm_t)
corenet_rw_inherited_tun_tap_dev(qm_container_kvm_t)
corecmd_exec_shell(qm_container_kvm_t)
corecmd_exec_bin(qm_container_kvm_t)
corecmd_bin_entry_type(qm_container_kvm_t)
# virtiofs causes these AVC messages.
kernel_mount_proc(qm_container_kvm_t)
kernel_mounton_proc(qm_container_kvm_t)
kernel_unmount_proc(qm_container_kvm_t)
kernel_dgram_send(qm_container_kvm_t)
files_mounton_rootfs(qm_container_kvm_t)
auth_read_passwd(qm_container_kvm_t)
logging_send_syslog_msg(qm_container_kvm_t)
optional_policy(`
qemu_entry_type(qm_container_kvm_t)
qemu_exec(qm_container_kvm_t)
')
manage_sock_files_pattern(qm_container_kvm_t, qm_container_file_t, qm_container_file_t)
dev_rw_kvm(qm_container_kvm_t)
sssd_read_public_files(qm_container_kvm_t)
# Container init - Policy for running systemd based containers
type qm_container_init_t, qm_container_domain;
domain_type(qm_container_init_t)
domain_user_exemption_target(qm_container_init_t)
typeattribute qm_container_init_t container_init_domain, container_net_domain, container_user_domain;
corenet_unconfined(qm_container_init_t)
logging_send_syslog_msg(qm_container_init_t)
allow qm_container_init_t proc_t:filesystem remount;
optional_policy(`
virt_default_capabilities(qm_container_init_t)
')
tunable_policy(`virt_sandbox_use_sys_admin',`
allow qm_container_init_t self:capability sys_admin;
allow qm_container_init_t self:cap_userns sys_admin;
')
allow qm_container_init_t self:netlink_audit_socket nlmsg_relay;
container_manage_files_template(qm_container_init, qm_container)
read_files_pattern(qm_container_t, qm_container_ro_file_t,qm_container_ro_file_t,)
read_lnk_files_pattern(qm_container_t, qm_container_ro_file_t,qm_container_ro_file_t,)
list_dirs_pattern(qm_container_t, qm_container_ro_file_t,qm_container_ro_file_t,)
#
# Rules for container domains in the qm
#
allow qm_container_domain self:association sendto;
allow qm_container_domain self:cap2_userns ~{ mac_override mac_admin };
allow qm_container_domain self:cap_userns { sys_admin chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
allow qm_container_domain self:capability mknod;
allow qm_container_domain self:capability ~{ sys_module };
allow qm_container_domain self:capability2 ~{ mac_override mac_admin };
allow qm_container_domain self:dir list_dir_perms;
allow qm_container_domain self:fifo_file create_fifo_file_perms;
allow qm_container_domain self:fifo_file manage_file_perms;
allow qm_container_domain self:file rw_file_perms;
allow qm_container_domain self:filesystem associate;
allow qm_container_domain self:key manage_key_perms;
allow qm_container_domain self:lnk_file read_file_perms;
allow qm_container_domain self:lnk_file setattr;
allow qm_container_domain self:msg all_msg_perms;
allow qm_container_domain self:msgq create_msgq_perms;
allow qm_container_domain self:netlink_kobject_uevent_socket create_socket_perms;
allow qm_container_domain self:netlink_route_socket r_netlink_socket_perms;
allow qm_container_domain self:netlink_socket create_socket_perms;
allow qm_container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow qm_container_domain self:netlink_xfrm_socket create_socket_perms;
allow qm_container_domain self:packet_socket create_socket_perms;
allow qm_container_domain self:passwd rootok;
allow qm_container_domain self:peer recv;
allow qm_container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
allow qm_container_domain self:sem create_sem_perms;
allow qm_container_domain self:shm create_shm_perms;
allow qm_container_domain self:socket_class_set { create_socket_perms map accept };
allow qm_container_domain self:tcp_socket create_socket_perms;
allow qm_container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue };
allow qm_container_domain self:udp_socket create_socket_perms;
allow qm_container_domain self:unix_dgram_socket { sendto create_socket_perms };
allow qm_container_domain self:unix_stream_socket { create_stream_socket_perms sendto connectto };
allow qm_container_domain self:user_namespace create;
allow qm_t qm_container_domain:fd use;
allow qm_t qm_container_domain:fifo_file rw_fifo_file_perms;
allow qm_t qm_container_domain:file relabelfrom;
allow qm_t qm_container_domain:key manage_key_perms;
allow qm_t qm_container_domain:process { dyntransition transition };
allow qm_t qm_container_domain:process2 { nnp_transition nosuid_transition };
allow qm_t qm_container_domain:tun_socket relabelfrom;
allow qm_container_domain container_runtime_t:unix_dgram_socket sendto;
allow qm_container_domain container_runtime_tmpfs_t:dir mounton;
allow qm_container_domain fusefs_t:file { mounton execmod };
allow qm_container_domain fusefs_t:filesystem remount;
allow qm_container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt };
allow qm_container_domain qm_container_ro_file_t:file execmod;
allow qm_container_domain qm_t:fd use;
allow qm_container_domain qm_t:fifo_file { rw_fifo_file_perms map };
allow qm_container_domain qm_t:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
allow qm_container_domain qm_t:tun_socket relabelfrom;
allow unconfined_domain_type qm_container_domain:process {transition dyntransition };
allow unconfined_domain_type qm_container_domain:process2 { nnp_transition nosuid_transition };
allow unconfined_service_t qm_container_domain:process dyntransition;
dev_dontaudit_mounton_sysfs(qm_container_domain)
domain_dontaudit_link_all_domains_keyrings(qm_container_domain)
domain_dontaudit_search_all_domains_keyrings(qm_container_domain)
domain_dontaudit_search_all_domains_state(qm_container_domain)
dontaudit qm_container_domain container_runtime_tmpfs_t:dir read;
dontaudit qm_container_domain qm_container_domain:key search;
dontaudit qm_container_domain self:capability fsetid;
dontaudit qm_container_domain self:capability2 block_suspend ;
dontaudit qm_container_domain self:dir { write add_name };
dontaudit qm_container_domain sysctl_type:file write;
dontaudit qm_container_domain usermodehelper_t:file write;
dontaudit qm_t qm_container_domain:process { noatsecure rlimitinh siginh };
files_read_kernel_modules(qm_container_domain)
fs_dontaudit_getattr_all_dirs(qm_container_domain)
fs_dontaudit_getattr_all_files(qm_container_domain)
fs_dontaudit_remount_tmpfs(qm_container_domain)
fs_exec_fusefs_files(qm_container_domain)
fs_exec_hugetlbfs_files(qm_container_domain)
fs_fusefs_entrypoint(qm_container_domain)
fs_getattr_all_fs(qm_container_domain)
fs_list_cgroup_dirs(qm_container_domain)
fs_list_hugetlbfs(qm_container_domain)
fs_manage_fusefs_dirs(qm_container_domain)
fs_manage_fusefs_files(qm_container_domain)
fs_manage_fusefs_named_pipes(qm_container_domain)
fs_manage_fusefs_named_sockets(qm_container_domain)
fs_manage_fusefs_symlinks(qm_container_domain)
fs_manage_hugetlbfs_files(qm_container_domain)
fs_mount_fusefs(qm_container_domain)
fs_mount_tmpfs(qm_container_domain)
fs_mount_xattr_fs(qm_container_domain)
fs_mounton_fusefs(qm_container_domain)
fs_read_cgroup_files(qm_container_domain)
fs_read_nsfs_files(qm_container_domain)
fs_read_tmpfs_symlinks(qm_container_domain)
fs_remount_xattr_fs(qm_container_domain)
fs_rw_inherited_tmpfs_files(qm_container_domain)
fs_rw_onload_sockets(qm_container_domain)
fs_search_tmpfs(qm_container_domain)
fs_unmount_fusefs(qm_container_domain)
fs_unmount_xattr_fs(qm_container_domain)
kernel_dontaudit_access_check_proc(qm_container_domain)
kernel_dontaudit_search_kernel_sysctl(qm_container_domain)
kernel_dontaudit_setattr_proc_dirs(qm_container_domain)
kernel_dontaudit_setattr_proc_files(qm_container_domain)
kernel_dontaudit_write_kernel_sysctl(qm_container_domain)
kernel_dontaudit_write_proc_files(qm_container_domain)
kernel_dontaudit_write_usermodehelper_state(qm_container_domain)
kernel_get_sysvipc_info(qm_container_domain)
kernel_getattr_proc(qm_container_domain)
kernel_list_all_proc(qm_container_domain)
kernel_read_all_sysctls(qm_container_domain)
kernel_read_irq_sysctls(qm_container_domain)
kernel_read_network_state(qm_container_domain)
kernel_read_network_state(qm_container_domain)
kernel_rw_net_sysctls(qm_container_domain)
kernel_rw_net_sysctls(qm_container_domain)
kernel_rw_rpc_sysctls(qm_container_domain)
kernel_rw_unix_sysctls(qm_container_domain)
kernel_search_network_sysctl(qm_container_domain)
logging_dontaudit_send_audit_msgs(qm_container_domain)
storage_rw_fuse(qm_container_domain)
sysnet_read_config(qm_container_domain)
term_use_all_inherited_terms(qm_container_domain)
userdom_rw_inherited_user_pipes(qm_container_domain)
userdom_use_user_ptys(qm_container_domain)