ansible/hacking/tests/selinux/ansible-podman.te

module ansible-podman 1.0;

require {
        type container_t;
        type cgroup_t;
        type fusefs_t;
        class dir { add_name create remove_name rmdir write };
        class file { create relabelto write };
        class bpf map_create;
}


allow container_t cgroup_t:dir { add_name create remove_name rmdir write };

allow container_t cgroup_t:file { create write };
allow container_t fusefs_t:file relabelto;
allow container_t self:bpf map_create;
Add a custom policy for hackers using ansible-test (#68535) Signed-off-by: Rick Elrod <rick@elrod.me> 2020-03-28 23:07:29 +01:00			`module ansible-podman 1.0;`

			`require {`
			`type container_t;`
			`type cgroup_t;`
			`type fusefs_t;`
			`class dir { add_name create remove_name rmdir write };`
			`class file { create relabelto write };`
			`class bpf map_create;`
			`}`


			`allow container_t cgroup_t:dir { add_name create remove_name rmdir write };`

			`allow container_t cgroup_t:file { create write };`
			`allow container_t fusefs_t:file relabelto;`
			`allow container_t self:bpf map_create;`