Comment 1 for bug 1997374

You will need two rules, a change_profile rule and a follow on exec rule. Unfortunately the full information needed is not available at this point. So you can do

  change_profile /** -> docker_default,

which will allow change_onexec from an executable, that is the /** part, to the docker-default profile.

The change_profile will not happen immediately but will be delayed until the exec and rechecked at that time, to make sure it is still allowed and the change_profile is being applied to the correct binary, in this case any exec will work.

You can tighten up the rule by changing the /** to the executable used in the following exec.