forked from containers/qm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathqm.te
194 lines (167 loc) · 7.33 KB
/
qm.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
policy_module(qm, 0.1.0)
gen_require(`
attribute container_domain;
attribute filesystem_type;
type cgroup_t;
type fusefs_t;
type hugetlbfs_t;
type mtrr_device_t;
type proc_kcore_t;
type proc_kmsg_t;
type proc_t;
type sysctl_irq_t;
type sysctl_t;
type system_dbusd_t;
type systemd_machined_t;
type systemd_logind_t;
type unconfined_service_t;
')
type qm_t;
domain_type(qm_t)
role system_r types qm_t;
init_initrc_domain(qm_t)
attribute qm_file_type;
type qm_file_t, qm_file_type;
files_type(qm_file_t)
files_mountpoint(qm_file_t)
files_mountpoint(qm_file_t)
type qm_container_var_lib_t, qm_file_type;
files_mountpoint(qm_container_var_lib_t)
type qm_container_ro_file_t, qm_file_type;
files_mountpoint(qm_container_ro_file_t)
allow qm_t qm_container_ro_file_t:file execmod;
manage_files_pattern(qm_t, qm_file_type, qm_file_type)
can_exec(qm_t, qm_file_type)
allow qm_t qm_file_type:file { map entrypoint mounton };
allow qm_t qm_file_type:chr_file mounton;
manage_dirs_pattern(qm_t, qm_file_type, qm_file_type)
manage_fifo_files_pattern(qm_t, qm_file_type, qm_file_type)
manage_lnk_files_pattern(qm_t, qm_file_type, qm_file_type)
manage_chr_files_pattern(qm_t, qm_file_type, qm_file_type)
allow qm_t qm_file_type:chr_file { watch watch_reads };
manage_blk_files_pattern(qm_t, qm_file_type, qm_file_type)
manage_sock_files_pattern(qm_t, qm_file_type, qm_file_type)
fs_tmpfs_filetrans(qm_t, qm_file_t, { dir file lnk_file })
allow qm_t qm_file_type:dir mounton;
allow qm_t qm_file_type:filesystem { getattr remount unmount };
filetrans_pattern(qm_t, qm_file_t, qm_container_var_lib_t, dir, "containers")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, dir, "overlay")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, dir, "overlay2")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, file, "config.env")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, file, "hostname")
filetrans_pattern(qm_t, qm_container_var_lib_t, qm_container_ro_file_t, file, "hosts")
allow container_domain qm_container_ro_file_t:file execmod;
ps_process_pattern(systemd_machined_t, qm_t)
read_files_pattern(systemd_machined_t, qm_file_type, qm_file_type)
list_dirs_pattern(systemd_machined_t, qm_file_type, qm_file_type)
read_lnk_files_pattern(systemd_machined_t, qm_file_type, qm_file_type)
rw_sock_files_pattern(systemd_machined_t, qm_file_type, qm_file_type)
manage_chr_files_pattern(systemd_machined_t, qm_file_type, qm_file_type)
allow systemd_machined_t qm_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow system_dbusd_t qm_file_type:chr_file { read write };
allow systemd_machined_t unconfined_service_t:dir search;
systemd_dbus_chat_machined(systemd_machined_t)
ps_process_pattern(systemd_logind_t, qm_t)
manage_files_pattern(systemd_logind_t, qm_file_type, qm_file_type)
manage_dirs_pattern(systemd_logind_t, qm_file_type, qm_file_type)
manage_lnk_files_pattern(systemd_logind_t, qm_file_type, qm_file_type)
rw_sock_files_pattern(systemd_logind_t, qm_file_type, qm_file_type)
manage_chr_files_pattern(systemd_logind_t, qm_file_type, qm_file_type)
allow systemd_logind_t qm_t:unix_stream_socket { connectto rw_stream_socket_perms };
container_manage_dirs(systemd_logind_t)
container_manage_files(systemd_logind_t)
allow system_dbusd_t qm_file_type:chr_file { read write };
allow qm_t self:bpf { map_create map_read map_write prog_load prog_run };
allow qm_t self:cap_userns { chown dac_override dac_read_search fowner fsetid kill net_bind_service setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace sys_resource };
allow qm_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill net_bind_service net_admin net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace sys_resource };
allow qm_t self:capability2 { audit_read bpf perfmon};
allow qm_t self:packet_socket create_socket_perms;
allow qm_t self:icmp_socket create_stream_socket_perms;
allow qm_t self:key { setattr write };
allow qm_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow qm_t self:netlink_generic_socket create_socket_perms;
allow qm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow qm_t self:netlink_netfilter_socket create_socket_perms;
allow qm_t self:netlink_route_socket create_netlink_socket_perms;
allow qm_t self:netlink_selinux_socket create_socket_perms;
allow qm_t self:netlink_socket create_socket_perms;
allow qm_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow qm_t self:process { getattr getcap getpgid getrlimit getsched setcap setpgid setrlimit setsched signal_perms };
allow qm_t self:rawip_socket create_stream_socket_perms;
allow qm_t self:tcp_socket create_stream_socket_perms;
allow qm_t self:udp_socket create_socket_perms;
allow qm_t self:unix_dgram_socket { sendto create_socket_perms };
allow qm_t self:unix_stream_socket { connectto rw_stream_socket_perms };
init_access_check(qm_t)
miscfiles_watch_localization_files(qm_t)
seutil_search_default_contexts(qm_t)
allow qm_t mtrr_device_t:file { getattr mounton };
allow qm_t proc_kcore_t:file { getattr mounton };
allow qm_t proc_kmsg_t:file { getattr mounton };
allow qm_t proc_t:file mounton;
allow qm_t sysctl_irq_t:dir { getattr mounton };
allow qm_t sysctl_t:file { getattr mounton };
allow qm_t cgroup_t:filesystem { getattr remount };
corenet_icmp_bind_generic_node(qm_t)
corenet_raw_bind_generic_node(qm_t)
corenet_rw_tun_tap_dev(qm_t)
corenet_sctp_bind_all_ports(qm_t)
corenet_sctp_connect_all_ports(qm_t)
corenet_tcp_bind_all_ports(qm_t)
corenet_tcp_bind_generic_node(qm_t)
corenet_tcp_connect_all_ports(qm_t)
corenet_tcp_sendrecv_all_ports(qm_t)
corenet_udp_bind_all_ports(qm_t)
corenet_udp_bind_generic_node(qm_t)
corenet_udp_sendrecv_all_ports(qm_t)
dev_list_sysfs(qm_t)
dev_mounton_sysfs(qm_t)
dev_mounton_sysfs(qm_t)
dev_read_sysfs(qm_t)
dev_remount_sysfs_fs(qm_t)
files_mounton_kernel_symbol_table(qm_t)
fs_all_mount_fs_perms_tmpfs(qm_t)
fs_all_mount_fs_perms_xattr_fs(qm_t)
fs_manage_cgroup_dirs(qm_t)
fs_manage_cgroup_files(qm_t)
fs_read_nsfs_files(qm_t)
fs_search_tracefs_dirs(qm_t)
allow qm_t nsfs_t:filesystem { getattr unmount };
kernel_dontaudit_search_security_state(qm_t)
kernel_list_proc(qm_t)
kernel_mounton_core_if(qm_t)
kernel_mounton_kernel_sysctl(qm_t)
kernel_mounton_kernel_sysctl(qm_t)
kernel_mounton_messages(qm_t)
kernel_mounton_proc(qm_t)
kernel_mounton_proc(qm_t)
kernel_mounton_systemd_ProtectKernelTunables(qm_t)
kernel_mounton_systemd_ProtectKernelTunables(qm_t)
kernel_read_fs_sysctls(qm_t)
kernel_read_net_sysctls(qm_t)
kernel_read_network_state(qm_t)
kernel_read_network_state_symlinks(qm_t)
kernel_read_proc_files(qm_t)
kernel_read_security_state(qm_t)
kernel_read_sysctl(qm_t)
kernel_read_unix_sysctls(qm_t)
kernel_request_load_module(qm_t)
kernel_rw_fs_sysctls(qm_t)
kernel_rw_kernel_sysctl(qm_t)
kernel_rw_net_sysctls(qm_t)
kernel_rw_security_state(qm_t)
kernel_rw_unix_sysctls(qm_t)
kernel_rw_usermodehelper_state(qm_t)
dontaudit qm_t proc_security_t:file write;
allow qm_t filesystem_type:filesystem { mount remount unmount };
kernel_search_debugfs(qm_t)
unconfined_dgram_send(qm_t)
selinux_dontaudit_get_fs_mount(qm_t)
selinux_dontaudit_search_fs(qm_t)
dontaudit qm_t security_t:file write;
sysnet_read_config(qm_t)
sysnet_write_config(qm_t)
term_search_ptys(qm_t)
term_use_generic_ptys(qm_t)
term_setattr_generic_ptys(qm_t)
dev_write_sysfs_dirs(qm_t)