You will need two rules, a change_profile rule and a follow on exec rule. Unfortunately the full information needed is not available at this point. So you can do
change_profile /** -> docker_default,
which will allow change_onexec from an executable, that is the /** part, to the docker-default profile.
The change_profile will not happen immediately but will be delayed until the exec and rechecked at that time, to make sure it is still allowed and the change_profile is being applied to the correct binary, in this case any exec will work.
You can tighten up the rule by changing the /** to the executable used in the following exec.
You will need two rules, a change_profile rule and a follow on exec rule. Unfortunately the full information needed is not available at this point. So you can do
change_profile /** -> docker_default,
which will allow change_onexec from an executable, that is the /** part, to the docker-default profile.
The change_profile will not happen immediately but will be delayed until the exec and rechecked at that time, to make sure it is still allowed and the change_profile is being applied to the correct binary, in this case any exec will work.
You can tighten up the rule by changing the /** to the executable used in the following exec.