embedded_container.cil

(block embedded_container
    (blockinherit container)
    (blockinherit net_container)
    (allow process process ( capability ( chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write ))) 

    (allow process usb_device_t ( dir ( open read getattr lock search ioctl add_name remove_name write ))) 
    (allow process usb_device_t ( file ( getattr read write append ioctl lock map open create  ))) 
    (allow process usb_device_t ( sock_file ( getattr read write append open  ))) 
    (allow process usb_device_t (chr_file (ioctl read write getattr lock append open)))
    (allow process device_t ( dir ( open read getattr lock search ioctl add_name remove_name write ))) 
    (allow process device_t ( file ( getattr read write append ioctl lock map open create  ))) 
    (allow process device_t ( sock_file ( getattr read write append open  ))) 

    (allow process tty_device_t (dir (getattr search open)))
    (allow process tty_device_t (dir (ioctl read getattr lock search open)))
    (allow process tty_device_t (lnk_file (read getattr)))
    (allow process tty_device_t (chr_file (ioctl read write getattr lock append open)))

    (allow process usbtty_device_t (dir (getattr search open)))
    (allow process usbtty_device_t (dir (ioctl read getattr lock search open)))
    (allow process usbtty_device_t (lnk_file (read getattr)))
    (allow process usbtty_device_t (chr_file (ioctl read write getattr lock append open)))
)