/root/\.docker	gen_context(system_u:object_r:container_home_t,s0)

/usr/libexec/docker/.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/libexec/docker/.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/buildkitd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)

/usr/s?bin/lxc-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxd-.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/lxd			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/fuidshift		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/libexec/lxc/.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/libexec/lxd/.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/podman		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/bin/podman		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/conmon		--	gen_context(system_u:object_r:conmon_exec_t,s0)
/usr/local/bin/conmon		--	gen_context(system_u:object_r:conmon_exec_t,s0)
/usr/local/s?bin/runc		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/runc			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/buildkit-runc	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/buildkit-runc	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/crun		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/crun			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/kata-agent	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/kata-agent		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/container[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/bin/rhel-push-plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/sbin/rhel-push-plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker-latest		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker-current		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker-novolume-plugin	--	gen_context(system_u:object_r:container_auth_exec_t,s0)
/usr/s?bin/crio.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/crio.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/ocid.*			--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/lib/docker/docker-novolume-plugin	--	gen_context(system_u:object_r:container_auth_exec_t,s0)
/usr/lib/docker/[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/lib/docker/[^/]*plugin	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)

/usr/lib/systemd/system/docker.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/lxd.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/containerd.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/buildkit.*		--	gen_context(system_u:object_r:container_unit_file_t,s0)

/etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
/etc/docker-latest(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
/etc/containerd(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
/etc/buildkit(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
/etc/crio(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
/exports(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)

/var/lib/shared(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/registry(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxc(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/lxd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/containers/.*/.*\.log		gen_context(system_u:object_r:container_log_t,s0)
/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)

/var/lib/containerd(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir.
/var/lib/containerd/[^/]*/snapshots(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
/var/lib/containerd/[^/]*/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/nerdctl/[^/]*/volumes(/.*)?	gen_context(system_u:object_r:container_file_t,s0)

/var/lib/buildkit(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/buildkit/[^/]*/snapshots(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
# "/var/lib/buildkit/runc-<SNAPSHOTTER>/executor" contains "resolv.conf" and "hosts.<RANDOM>", for OCI (runc) worker mode.
/var/lib/buildkit/runc-.*/executor(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)
# "/var/lib/buildkit/containerd-<SNAPSHOTTER>" contains resolv.conf and hosts.<RANDOM>, for containerd worker mode.
# Unlike the runc-<SNAPSHOTTER> directory, this directory does not contain the "executor" directory inside it.
/var/lib/buildkit/containerd-.*(/.*?)	gen_context(system_u:object_r:container_ro_file_t,s0)

HOME_DIR/\.local/share/containers/storage/overlay(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)?	 gen_context(system_u:object_r:container_ro_file_t,s0)
HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)

/var/lib/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/containers/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay2-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/atomic(/.*)?	<<none>>
/var/lib/containers/storage/volumes/[^/]*/.*	gen_context(system_u:object_r:container_file_t,s0)
/var/lib/containers/storage/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay2-layers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/containers/storage/overlay2-images(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/ocid(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/ocid/sandboxes(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)

/var/cache/containers(/.*)?	gen_context(system_u:object_r:container_var_lib_t,s0)
/var/cache/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/kata-containers(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)

/var/run/kata-containers(/.*)?	gen_context(system_u:object_r:container_kvm_var_run_t,s0)

/var/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
/opt/local-path-provisioner(/.*)?		gen_context(system_u:object_r:container_file_t,s0)

/var/lib/origin(/.*)?	gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubernetes/pods(/.*)?	gen_context(system_u:object_r:container_file_t,s0)

/var/lib/kubelet(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:container_log_t,s0)
/var/lib/docker-latest/containers/.*/hostname		gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/containers/.*/hosts		gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/overlay(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)
/var/lib/docker-latest/overlay2(/.*)?	gen_context(system_u:object_r:container_ro_file_t,s0)

/var/lib/cni(/.*)?								gen_context(system_u:object_r:container_var_lib_t,s0)
/var/run/flannel(/.*)?								gen_context(system_u:object_r:container_var_run_t,s0)
/var/lib/kubelet/pods(/.*)?							gen_context(system_u:object_r:container_file_t,s0)
/var/log/containers(/.*)?							gen_context(system_u:object_r:container_log_t,s0)
/var/log/pods(/.*)?								gen_context(system_u:object_r:container_log_t,s0)

/var/run/containers(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/crio(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/containerd(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?		gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
/var/run/buildkit(/.*)?	gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker\.pid		--	gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker\.sock		-s	gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker-client(/.*)?		gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:container_plugin_var_run_t,s0)

/srv/containers(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
/var/srv/containers(/.*)?	gen_context(system_u:object_r:container_file_t,s0)

/var/lock/lxc(/.*)?		gen_context(system_u:object_r:container_lock_t,s0)

/var/log/lxc(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
/var/log/lxd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
/etc/kubernetes(/.*)?		gen_context(system_u:object_r:kubernetes_file_t,s0)