5105a4c344
Rootless docker runs as root in a user namespace. Because of this, rootless docker containers will run as spc_user_t as docker cannot be SELinux-aware in its own container. Signed-off-by: Kenton Groombridge <me@concord.sh>
80 lines
6.0 KiB
Plaintext
80 lines
6.0 KiB
Plaintext
HOME_DIR/\.cache/containers(/.*)? gen_context(system_u:object_r:container_cache_home_t,s0)
|
|
HOME_DIR/\.config/containers(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
|
|
HOME_DIR/\.config/cni(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
|
|
HOME_DIR/\.local/share/containers(/.*)? gen_context(system_u:object_r:container_data_home_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0)
|
|
HOME_DIR/\.local/share/docker(/.*)? gen_context(system_u:object_r:container_data_home_t,s0)
|
|
HOME_DIR/\.local/share/docker/.*/config\.env -- gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/docker/containers/.*/.*\.log -- gen_context(system_u:object_r:container_log_t,s0)
|
|
HOME_DIR/\.local/share/docker/containers/.*/hostname -- gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/docker/containers/.*/hosts -- gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/docker/fuse-overlayfs(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
HOME_DIR/\.local/share/docker/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
|
|
|
/usr/bin/crun -- gen_context(system_u:object_r:container_engine_exec_t,s0)
|
|
/usr/bin/runc -- gen_context(system_u:object_r:container_engine_exec_t,s0)
|
|
|
|
/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_t,s0)
|
|
/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_t,s0)
|
|
|
|
/etc/containers(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
/etc/cni(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
|
|
|
|
/run/containers(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
|
|
/run/libpod(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
|
|
/run/runc(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
|
|
|
|
/run/docker(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
|
|
/run/docker\.pid -- gen_context(system_u:object_r:container_runtime_t,s0)
|
|
/run/docker\.sock -s gen_context(system_u:object_r:container_runtime_t,s0)
|
|
/run/containerd(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
|
|
/run/containerd/[^/]+/sandboxes/[^/]+/shm(/.*)? gen_context(system_u:object_r:container_engine_tmpfs_t,s0)
|
|
|
|
/run/user/%{USERID}/netns(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
|
|
|
|
/var/cache/containers(/.*)? gen_context(system_u:object_r:container_engine_cache_t,s0)
|
|
|
|
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/containers/atomic(/.*)? <<none>>
|
|
/var/lib/containers/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0)
|
|
/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containers/storage/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0)
|
|
|
|
/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/docker/.*/config\.env -- gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/containers/.*/.*\.log -- gen_context(system_u:object_r:container_log_t,s0)
|
|
/var/lib/docker/containers/.*/hostname -- gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/containers/.*/hosts -- gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/docker/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0)
|
|
|
|
/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
|
|
/var/lib/containerd/[^/]+/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
/var/lib/containerd/[^/]+/snapshots(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
|
|
|
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|
|
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
|