; Deny any action that is not defined by the policy.
(handleunknown deny)

; Define the set of all subject and object types, to allow certain actions to
; be allowed or denied for everything.
(typeattribute global)
(typeattributeset global ((all_s) (all_o)))

; Define a subset of these types which are considered public.
(typeattribute public)
(typeattributeset public (xor (global) (restricted_o)))

; All subjects are allowed to describe all processes.
(allow all_s all_s (processes (describe)))

; All subjects are allowed to use the label they already have.
(allow all_s self (processes (transform)))

; All subjects are allowed to interact with their own processes in most ways
; without policy restrictions.
(allow all_s self (processes (interact)))

; Only privileged components can interact with all processes.
(allow privileged_s all_s (processes (interact)))

; Unprivileged components cannot interact with privileged processes.
(neverallow unprivileged_s privileged_s (processes (interact)))

; PID 1 starts as "kernel_t" and becomes "init_t".
(typetransition kernel_t init_exec_t process init_t)
(allow kernel_t init_t (processes (transform)))
(allow init_t init_exec_t (file (entrypoint)))

; PID 1 starts most daemons as "system_t".
(typetransition init_t os_t process system_t)
(allow init_t system_t (processes (transform)))
(allow system_t os_t (file (entrypoint)))

; PID 1 starts mount processes as "mount_t".
(typetransition init_t mount_exec_t process mount_t)
(allow init_t mount_t (processes (transform)))
(allow mount_t mount_exec_t (file (entrypoint)))

; PID 1 starts API components as "api_t".
(typetransition init_t api_exec_t process api_t)
(allow init_t api_t (processes (transform)))
(allow api_t api_exec_t (file (entrypoint)))

; PID1 starts NTP daemons as "clock_t".
(typetransition init_t clock_exec_t process clock_t)
(allow init_t clock_t (processes (transform)))
(allow clock_t clock_exec_t (file (entrypoint)))

; PID1 starts network daemons as "network_t".
(typetransition init_t network_exec_t process network_t)
(allow init_t network_t (processes (transform)))
(allow network_t network_exec_t (file (entrypoint)))

; PID1 starts DBUS daemons as "bus_t".
(typetransition init_t bus_exec_t process bus_t)
(allow init_t bus_t (processes (transform)))
(allow bus_t bus_exec_t (file (entrypoint)))

; PID 1 starts container runtimes as "runtime_t".
(typetransition init_t runtime_exec_t process runtime_t)
(allow init_t runtime_t (processes (transform)))
(allow runtime_t runtime_exec_t (file (entrypoint)))

; `runc` starts container processes as "control_t" by default, but it
; can use other "container" subject labels like "container_t". This
; depends on correct labeling for objects on local storage.
;
; Runtimes that use the Go SELinux library will override this label
; with the "process" label from the `lxc_contexts` when launching
; unprivileged containers, unless automatic labeling is disabled.
(typetransition runtime_t data_t process control_t)
(typetransition runtime_t cache_t process control_t)
(typetransition runtime_t secret_t process control_t)
(allow runtime_t container_s (processes (transform)))
(allow container_s data_t (file (entrypoint)))
(allow container_s cache_t (file (entrypoint)))
(allow container_s secret_t (file (entrypoint)))

; Adjust the level range to span all categories, since privileged
; containers won't get an MCS pair assigned.
(rangetransition runtime_t data_t process s0-s0)
(rangetransition runtime_t cache_t process s0-s0)
(rangetransition runtime_t secret_t process s0-s0)

; Run CNI plugins as unprivileged containers.
(typetransition runtime_t cni_exec_t process container_t)
(rangetransition runtime_t cni_exec_t process s0)
(allow container_t cni_exec_t (file (entrypoint)))

; Allow transitions to container labels for programs invoked by OCI
; hooks. There's no matching type or range transition since `runc`
; also needs to run other OS programs.
(allow container_s os_t (file (entrypoint)))

; Also allow entry to container domains through `docker-init`, which
; is mounted from the root filesystem and used as the init process.
(allow container_s runtime_exec_t (file (entrypoint)))

; Allow containers to communicate with runtimes via pipes.
(allow container_s runtime_t (files (mutate)))

; If a runtime process creates a directory for cached container archives
; or snapshot layers on local storage, it receives the "cache_t" label.
; ... containerd's pristine archives
(typetransition runtime_t local_t dir "io.containerd.content.v1.content" cache_t)
; ... containerd's metadata database
(typetransition runtime_t local_t dir "io.containerd.metadata.v1.bolt" cache_t)
; ... containerd's snapshot layers
(typetransition runtime_t local_t dir "io.containerd.snapshotter.v1.overlayfs" cache_t)
; ... docker's image layers
(typetransition runtime_t local_t dir "overlay2" cache_t)

; If a system process creates a directory for host or bootstrap container
; state, it receives the "secret_t" label.
(typetransition system_t local_t dir "host-containers" secret_t)
(typetransition system_t local_t dir "bootstrap-containers" secret_t)

; The socket for the API server gets the "api_socket_t" label.
(typetransition api_t any_t sock_file "api.sock" api_socket_t)

; All subjects can describe anything.
(allow all_s global (files (describe)))

; All subjects can read from anything that's public.
(allow all_s public (files (load)))

; Privileged subjects can read from anything at all.
(allow privileged_s global (files (load)))

; Unprivileged subjects cannot read or execute restricted objects.
(neverallow unprivileged_s restricted_o (files (load execute)))

; Container subjects can execute anything that's public.
(allow container_s public (files (execute)))

; Runtime subjects can execute anything at all.
(allow runtime_s global (files (execute)))

; Privileged containers can also execute anything.
(allow control_t global (files (execute)))

; `mount` can also execute anything. For overlayfs, the mounting process
; credentials are saved and used for subsequent access checks from other
; processes, so those credentials need to grant a superset of permissions.
; This lets us further restrict what other host processes can execute.
(allow mount_t global (files (execute)))

; Programs like `migrator` that are part of the API can run migrations,
; which are executed from sealed, anonymous memory-backed files. They can
; also run other system binaries.
(allow api_t any_t (files (execute)))
(allow api_t immutable_o (files (execute)))

; Subjects that must run verified code can execute immutable objects, since
; those are all protected by dm-verity.
(allow verified_s immutable_o (files (execute)))

; Subjects that must run verified code cannot execute mutable objects.
(neverallow verified_s mutable_o (files (execute)))

; All subjects are allowed to write to objects with their own label.
; This includes files like the ones under /proc/self.
(allow all_s self (files (mutate)))

; All subjects are allowed to write to and manage mounts for
; "ephemeral" objects, such as files in /mnt and /tmp.
(allow all_s ephemeral_o (files (mutate mount)))

; Trusted subjects are allowed to write to and manage mounts
; for "dynamic" files in /etc.
(allow trusted_s dynamic_o (files (mutate mount)))

; wicked calls netdog which writes /etc/resolv.conf.
(allow network_t etc_t (files (mutate)))

; Other subjects cannot modify these "dynamic" files.
(neverallow other_s dynamic_o (files (mutate mount)))

; Most subjects are allowed to write to and manage mounts for
; most of the files and directories on /local.
(allow unconfined_s shared_o (files (mutate mount)))

; Subjects that control the OS, including helpers spawned by apiserver, can
; write to and manage mounts for "secret" files and directories on /local.
; Our runtimes also need to be able to perform these operations so that
; they can launch host containers.
(allow api_s secret_t (files (mutate mount)))
(allow control_s secret_t (files (mutate mount)))
(allow runtime_s secret_t (files (mutate mount)))

; Subjects that control the OS can write to and manage mounts for "state"
; files and directories on /local.
(allow control_s state_t (files (mutate mount)))

; `mount` can also write to these directories, to set up overlayfs mounts
; that use them for work directories.
(allow mount_t state_t (files (mutate)))

; Unprivileged subjects cannot modify "state" or "secret" files.
(neverallow unprivileged_s state_t (files (mutate mount)))
(neverallow unprivileged_s secret_t (files (mutate mount)))

; Confined subjects cannot modify "state", "secret", or "shared" files.
(neverallow confined_s shared_o (files (mutate mount)))
(neverallow confined_s state_t (files (mutate mount)))
(neverallow confined_s secret_t (files (mutate mount)))

; Trusted components are allowed to manage mounts everywhere.
(allow trusted_s global (files (mount)))

; Only specific components can write to these objects, as they
; provide a means to persist changes across container restarts
; and reboots.
(allow api_s private_t (files (mutate)))
(allow clock_s measure_t (files (mutate)))
(allow network_s lease_t (files (mutate)))
(allow runtime_s cache_t (files (mutate)))

; Other components should not be permitted to modify these files,
; or to manage mounts for these directories.
(neverallow other_s protected_o (files (mutate mount)))

; Only the API server and specific components can use the API
; socket, as this provides a means to escalate privileges and
; persist changes.
(allow api_s api_socket_t (files (mutate)))
(allow control_s api_socket_t (files (mutate)))

; Unprivileged components are not allowed to use the API socket.
(neverallow unprivileged_s api_socket_t (files (mutate)))

; Only trusted components are allowed to relabel all files, and to
; override filesystem labels through "*context=" mount options.
(allow trusted_s global (files (relabel)))
(allow trusted_s global (filesystems (relabel)))

; Containers are allowed to "relabel" constrained files, but are
; governed by additional MCS constraints that require the old and
; new labels to match exactly.
(allow container_s constrained_o (files (relabel)))

; Containers are also allowed to "relabel" filesystems at mount time
; using "*context=" options, but only to and from "local_t".
(allow container_s local_t (filesystems (relabel)))

; Untrusted components are not allowed to relabel most files, and
; cannot use "*context=" options to impose arbitrary labels.
(neverallow untrusted_s all_s (files (relabel)))
(neverallow untrusted_s unconstrained_o (files (relabel)))
(neverallow untrusted_s unshared_o (filesystems (relabel)))

; Containers may copy or move files from constrained directories
; into unconstrained ones, such as tmpfs mounts. If they attempt to
; also copy the "security.selinux" xattr then this is treated as a
; relabel operation and blocked. Since the operation is otherwise
; successful, suppress this particular audit message.
(dontaudit container_t any_t (file (relabelfrom)))

; No components are allowed to block access to files by using
; fanotify permission events. Fanotify only sends events for
; accesses from within the mount namespace, so it's unlikely to
; be useful for containers, and we don't use it in the host.
(neverallow all_s global (files (block)))

; All subject labels can be used for files on /proc.
(allow all_s proc_t (filesystem (associate)))

; All object labels can be used for files on filesystems that have
; the same label, and for files on ephemeral storage.
(allow all_o self (filesystem (associate)))
(allow all_o ephemeral_o (filesystem (associate)))

; Protected object labels can be used on local storage.
(allow protected_o local_t (filesystem (associate)))

; Shared object labels can also be used, so that volume types like
; emptyDir can be relabeled on behalf of containers.
(allow shared_o local_t (filesystem (associate)))

; Containers are allowed to relax security constraints, since we
; don't control what code they run or how it's built.
(allow container_s self (processes (relax)))
(allow container_s global (files (relax)))

; Host processes should not need to relax security constraints.
(neverallow host_s global (processes (relax)))
(neverallow host_s global (files (relax)))

; Files and directories that reside on the dm-verity backed root
; filesystem are not mutable, and the policy should not permit it.
(neverallow all_s immutable_o (files (mutate)))

; Files that exist elsewhere should not be an entrypoint.
(neverallow all_s ephemeral_o (files (enter)))
(neverallow all_s dynamic_o (files (enter)))

; All subjects are allowed to use most actions related to sockets,
; networks, and IPC mechanisms.
(allow all_s global (sockets (use)))
(allow all_s global (networks (use)))
(allow all_s global (ipcs (use)))

; Only trusted components are allowed to relabel sockets and packets.
(allow trusted_s global (sockets (relabel)))
(allow trusted_s global (networks (relabel)))

; Untrusted components cannot relabel sockets or packets.
(neverallow untrusted_s global (sockets (relabel)))
(neverallow untrusted_s global (networks (relabel)))

; All subjects are allowed to use most systems-level functionality,
; such as bpf and capabilities.
(allow all_s global (systems (use)))

; Only trusted components can use systems-level management functions.
; This includes interactions with SELinux-aware userspace programs
; such as systemd.
(allow trusted_s global (systems (manage)))

; dbus-broker implements DBUS and uses SELinux for access control.
; It also queries systemd for job status.
(allow bus_t global (dbus (all)))
(allow bus_t global (security (compute_av)))
(allow bus_t init_t (system (status)))

; wicked needs DBUS for IPC.
(allow network_t bus_t (dbus (all)))
(allow network_t network_t (dbus (all)))

; Other components cannot use systems-level management functions.
(neverallow other_s global (systems (manage)))