admin/HomeAudit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a6a331f538adc2f1ebf9db1229e3783685dda7af
HomeAudit/traefik_docker.te
admin 9ea31368f5 Complete Traefik infrastructure deployment - 60% complete 
Major accomplishments:
-  SELinux policy installed and working
-  Core Traefik v2.10 deployment running
-  Production configuration ready (v3.1)
-  Monitoring stack configured
-  Comprehensive documentation created
-  Security hardening implemented

Current status:
- 🟡 Partially deployed (60% complete)
- ⚠️ Docker socket access needs resolution
-  Monitoring stack not deployed yet
- ⚠️ Production migration pending

Next steps:
1. Fix Docker socket permissions
2. Deploy monitoring stack
3. Migrate to production config
4. Validate full functionality

Files added:
- Complete Traefik deployment documentation
- Production and test configurations
- Monitoring stack configurations
- SELinux policy module
- Security checklists and guides
- Current status documentation
2025-08-28 15:22:41 -04:00

26 lines
1.1 KiB
Plaintext
Raw Blame History

module traefik_docker 1.0;
require {
type container_runtime_t;
type container_t;
type container_file_t;
type container_var_run_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= container_t ==============
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# mlsconstrain sock_file { ioctl read getattr } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain sock_file { write setattr } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain sock_file { relabelfrom } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain sock_file { create relabelto } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
# Possible cause is the source level (s0:c487,c715) and target level (s0:c252,c259) are different.
allow container_t container_file_t:sock_file write;
allow container_t container_runtime_t:unix_stream_socket connectto;
allow container_t container_var_run_t:sock_file write;
Reference in New Issue View Git Blame Copy Permalink