policy_module(traefik_docker, 1.0.0)

########################################
#
# Declarations
#

require {
    type container_t;
    type container_var_run_t;
    type container_file_t;
    type container_runtime_t;
    class sock_file { write read };
    class unix_stream_socket { connectto };
}

########################################
#
# Local policy
#

# Allow containers to write to Docker socket
allow container_t container_var_run_t:sock_file { write read };
allow container_t container_file_t:sock_file { write read };

# Allow containers to connect to Docker daemon
allow container_t container_runtime_t:unix_stream_socket connectto;