module traefik_docker 1.0;

require {
	type container_runtime_t;
	type container_t;
	type container_file_t;
	type container_var_run_t;
	class sock_file write;
	class unix_stream_socket connectto;
}

#============= container_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#	mlsconstrain sock_file { ioctl read getattr } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain sock_file { write setattr } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain sock_file { relabelfrom } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain sock_file { create relabelto } ((h1 dom h2 -Fail-)  or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED

#	Possible cause is the source level (s0:c487,c715) and target level (s0:c252,c259) are different.
allow container_t container_file_t:sock_file write;
allow container_t container_runtime_t:unix_stream_socket connectto;
allow container_t container_var_run_t:sock_file write;