Merge pull request #31501 from thtanaka/update-oracle-selinux

Update oracle linux selinux to match docker upstream

contrib/selinux-oraclelinux-7/docker-engine-selinux/LICENSE

@@ -1,8 +1,8 @@
 		    GNU GENERAL PUBLIC LICENSE
 		       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
+the GNU Library General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -55,7 +55,7 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
+
 		    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -278,7 +278,7 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
 		     END OF TERMS AND CONDITIONS
-
+
 	    How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
@@ -303,9 +303,10 @@ the "copyright" line and a pointer to where the full notice is found.
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License along
-    with this program; if not, write to the Free Software Foundation, Inc.,
-    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
 
 Also add information on how to contact you by electronic and paper mail.
 
@@ -335,5 +336,5 @@ necessary.  Here is a sample; alter the names:
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Lesser General
+library.  If this is what you want to do, use the GNU Library General
 Public License instead of this License.

contrib/selinux-oraclelinux-7/docker-engine-selinux/Makefile

@@ -14,10 +14,3 @@ all: ${TARGETS:=.pp.bz2}
 clean:
 	rm -f *~  *.tc *.pp *.pp.bz2
 	rm -rf tmp *.tar.gz
-
-man: install
-	sepolicy manpage --domain ${TARGETS}_t
-
-install:
-	semodule -i ${TARGETS}
-

contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.fc

@@ -1,33 +1,18 @@
 /root/\.docker	gen_context(system_u:object_r:docker_home_t,s0)
 
-/usr/bin/docker			--	gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker-novolume-plugin		--	gen_context(system_u:object_r:docker_auth_exec_t,s0)
-/usr/lib/docker/docker-novolume-plugin	--	gen_context(system_u:object_r:docker_auth_exec_t,s0)
+/usr/bin/dockerd			--	gen_context(system_u:object_r:docker_exec_t,s0)
 
 /usr/lib/systemd/system/docker.service		--	gen_context(system_u:object_r:docker_unit_file_t,s0)
-/usr/lib/systemd/system/docker-novolume-plugin.service	--	gen_context(system_u:object_r:docker_unit_file_t,s0)
 
 /etc/docker(/.*)?		gen_context(system_u:object_r:docker_config_t,s0)
 
 /var/lib/docker(/.*)?		gen_context(system_u:object_r:docker_var_lib_t,s0)
-/var/lib/kublet(/.*)?		gen_context(system_u:object_r:docker_var_lib_t,s0)
-/var/lib/docker/vfs(/.*)?	gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
 
-/var/run/docker(/.*)?		gen_context(system_u:object_r:docker_var_run_t,s0)
 /var/run/docker\.pid		--	gen_context(system_u:object_r:docker_var_run_t,s0)
 /var/run/docker\.sock		-s	gen_context(system_u:object_r:docker_var_run_t,s0)
 /var/run/docker-client(/.*)?		gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:docker_plugin_var_run_t,s0)
-
-/var/lock/lxc(/.*)?		gen_context(system_u:object_r:docker_lock_t,s0)
-
-/var/log/lxc(/.*)?		gen_context(system_u:object_r:docker_log_t,s0)
 
 /var/lib/docker/init(/.*)?		gen_context(system_u:object_r:docker_share_t,s0)
 /var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:docker_share_t,s0)
 /var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:docker_share_t,s0)
 /var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
-
-# OL7.2 systemd selinux update
-/var/run/systemd/machines(/.*)?        gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
-/var/lib/machines(/.*)?                        gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)

contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.if

@@ -112,28 +112,7 @@ interface(`docker_read_share_files',`
 	')
 
 	files_search_var_lib($1)
-	list_dirs_pattern($1, docker_share_t, docker_share_t)
 	read_files_pattern($1, docker_share_t, docker_share_t)
-	read_lnk_files_pattern($1, docker_share_t, docker_share_t)
-')
-
-######################################
-## <summary>
-##	Allow the specified domain to execute docker shared files
-##	in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_exec_share_files',`
-	gen_require(`
-		type docker_share_t;
-	')
-
-	can_exec($1, docker_share_t)
 ')
 
 ########################################
@@ -305,7 +284,7 @@ interface(`docker_filetrans_named_content',`
     gen_require(`
         type docker_var_lib_t;
         type docker_share_t;
-    	type docker_log_t;
+	type docker_log_t;
 	    type docker_var_run_t;
         type docker_home_t;
     ')
@@ -313,7 +292,6 @@ interface(`docker_filetrans_named_content',`
     files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
     files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
     files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
-    logging_log_filetrans($1, docker_log_t, dir, "lxc")
     files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
@@ -362,6 +340,7 @@ interface(`docker_spc_stream_connect',`
 	allow $1 spc_t:unix_stream_socket connectto;
 ')
 
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
@@ -410,250 +389,73 @@ interface(`docker_admin',`
 	')
 ')
 
-########################################
-## <summary>
-##	Execute docker_auth_exec_t in the docker_auth domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`docker_auth_domtrans',`
+interface(`domain_stub_named_filetrans_domain',`
+    gen_require(`
+        attribute named_filetrans_domain;
+    ')
+')
+
+interface(`lvm_stub',`
+    gen_require(`
+        type lvm_t;
+    ')
+')
+interface(`staff_stub',`
+    gen_require(`
+        type staff_t;
+    ')
+')
+interface(`virt_stub_svirt_sandbox_domain',`
 	gen_require(`
-		type docker_auth_t, docker_auth_exec_t;
+		attribute svirt_sandbox_domain;
+	')
+')
+interface(`virt_stub_svirt_sandbox_file',`
+	gen_require(`
+		type svirt_sandbox_file_t;
+	')
+')
+interface(`fs_dontaudit_remount_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
 	')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
+	dontaudit $1 tmpfs_t:filesystem remount;
 ')
-
-######################################
-## <summary>
-##	Execute docker_auth in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_auth_exec',`
+interface(`dev_dontaudit_list_all_dev_nodes',`
 	gen_require(`
-		type docker_auth_exec_t;
+		type device_t;
 	')
 
-	corecmd_search_bin($1)
-	can_exec($1, docker_auth_exec_t)
+	dontaudit $1 device_t:dir list_dir_perms;
 ')
-
-########################################
-## <summary>
-##	Connect to docker_auth over a unix stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_auth_stream_connect',`
+interface(`kernel_unlabeled_entry_type',`
 	gen_require(`
-		type docker_auth_t, docker_plugin_var_run_t;
+		type unlabeled_t;
 	')
 
-	files_search_pids($1)
-	stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
+	domain_entry_file($1, unlabeled_t)
 ')
-
-########################################
-## <summary>
-##	docker domain typebounds calling domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain to be typebound.
-## </summary>
-## </param>
-#
-interface(`docker_typebounds',`
+interface(`kernel_unlabeled_domtrans',`
 	gen_require(`
-		type docker_t;
+		type unlabeled_t;
 	')
 
-	typebounds docker_t $1;
+	read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+	domain_transition_pattern($1, unlabeled_t, $2)
+	type_transition $1 unlabeled_t:process $2;
 ')
-
-########################################
-## <summary>
-##	Allow any docker_exec_t to be an entrypoint of this domain
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`docker_entrypoint',`
+interface(`files_write_all_pid_sockets',`
 	gen_require(`
-		type docker_exec_t;
+		attribute pidfile;
 	')
-	allow $1 docker_exec_t:file entrypoint;
+
+	allow $1 pidfile:sock_file write_sock_file_perms;
 ')
+interface(`dev_dontaudit_mounton_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
 
-########################################
-## <summary>
-##     Send and receive messages from
-##     systemd machined over dbus.
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`systemd_dbus_chat_machined',`
-       gen_require(`
-               type systemd_machined_t;
-               class dbus send_msg;
-       ')
-
-       allow $1 systemd_machined_t:dbus send_msg;
-       allow systemd_machined_t $1:dbus send_msg;
-       ps_process_pattern(systemd_machined_t, $1)
+	dontaudit $1 sysfs_t:dir mounton;
 ')
-
-########################################
-## <summary>
-##     Allow any svirt_sandbox_file_t to be an entrypoint of this domain
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-## <rolecap/>
-#
-interface(`virt_sandbox_entrypoint',`
-       gen_require(`
-               type svirt_sandbox_file_t;
-       ')
-       allow $1 svirt_sandbox_file_t:file entrypoint;
-')
-
-########################################
-## <summary>
-##      Send and receive messages from
-##      virt over dbus.
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`virt_dbus_chat',`
-        gen_require(`
-                type virtd_t;
-                class dbus send_msg;
-        ')
-
-        allow $1 virtd_t:dbus send_msg;
-        allow virtd_t $1:dbus send_msg;
-        ps_process_pattern(virtd_t, $1)
-')
-
-#######################################
-## <summary>
-##      Read the process state of virt sandbox containers
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`virt_sandbox_read_state',`
-       gen_require(`
-               attribute svirt_sandbox_domain;
-       ')
-
-       ps_process_pattern($1, svirt_sandbox_domain)
-')
-
-######################################
-## <summary>
-##     Send a signal to sandbox domains
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`virt_signal_sandbox',`
-       gen_require(`
-               attribute svirt_sandbox_domain;
-       ')
-
-       allow $1 svirt_sandbox_domain:process signal;
-')
-
-#######################################
-## <summary>
-##     Getattr Sandbox File systems
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`virt_getattr_sandbox_filesystem',`
-       gen_require(`
-              type svirt_sandbox_file_t;
-       ')
-
-       allow $1 svirt_sandbox_file_t:filesystem getattr;
-')
-
-#######################################
-## <summary>
-##     Read Sandbox Files
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
-## </param>
-#
-interface(`virt_read_sandbox_files',`
-       gen_require(`
-               type svirt_sandbox_file_t;
-       ')
-
-       list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-       read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-       read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
-')
-
-#######################################
-## <summary>
-##      Read the process state of spc containers
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`docker_spc_read_state',`
-        gen_require(`
-                type spc_t;
-        ')
-
-        ps_process_pattern($1, spc_t)
-')
-

contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.te

@@ -23,10 +23,6 @@ type spc_t;
 domain_type(spc_t)
 role system_r types spc_t;
 
-type docker_auth_t;
-type docker_auth_exec_t;
-init_daemon_domain(docker_auth_t, docker_auth_exec_t)
-
 type spc_var_run_t;
 files_pid_file(spc_var_run_t)
 
@@ -54,9 +50,6 @@ files_tmpfs_file(docker_tmpfs_t)
 type docker_var_run_t;
 files_pid_file(docker_var_run_t)
 
-type docker_plugin_var_run_t;
-files_pid_file(docker_plugin_var_run_t)
-
 type docker_unit_file_t;
 systemd_unit_file(docker_unit_file_t)
 
@@ -66,20 +59,6 @@ term_pty(docker_devpts_t)
 type docker_share_t;
 files_type(docker_share_t)
 
-# OL7 systemd selinux update
-type systemd_machined_t;
-type systemd_machined_exec_t;
-init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
-
-# /run/systemd/machines
-type systemd_machined_var_run_t;
-files_pid_file(systemd_machined_var_run_t)
-
-# /var/lib/machines
-type systemd_machined_var_lib_t;
-files_type(systemd_machined_var_lib_t)
-
-
 ########################################
 #
 # docker local policy
@@ -93,8 +72,6 @@ allow docker_t self:tcp_socket create_stream_socket_perms;
 allow docker_t self:udp_socket create_socket_perms;
 allow docker_t self:capability2 block_suspend;
 
-docker_auth_stream_connect(docker_t)
-
 manage_files_pattern(docker_t, docker_home_t, docker_home_t)
 manage_dirs_pattern(docker_t, docker_home_t, docker_home_t)
 manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t)
@@ -106,7 +83,6 @@ files_etc_filetrans(docker_t, docker_config_t, dir, "docker")
 
 manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
 manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
-files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
 
 manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
 manage_files_pattern(docker_t, docker_log_t, docker_log_t)
@@ -229,10 +205,6 @@ optional_policy(`
 	openvswitch_stream_connect(docker_t)
 ')
 
-#
-# lxc rules
-#
-
 allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
 
 allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
@@ -314,7 +286,6 @@ optional_policy(`
 
 	optional_policy(`
 		systemd_dbus_chat_logind(docker_t)
-		systemd_dbus_chat_machined(docker_t)
 	')
 
 	optional_policy(`
@@ -326,11 +297,6 @@ optional_policy(`
 	udev_read_db(docker_t)
 ')
 
-optional_policy(`
-	unconfined_domain(docker_t)
-	# unconfined_typebounds(docker_t)
-')
-
 optional_policy(`
 	virt_read_config(docker_t)
 	virt_exec(docker_t)
@@ -339,12 +305,10 @@ optional_policy(`
 	virt_exec_sandbox_files(docker_t)
 	virt_manage_sandbox_files(docker_t)
 	virt_relabel_sandbox_filesystem(docker_t)
-	# for lxc
 	virt_transition_svirt_sandbox(docker_t, system_r)
 	virt_mounton_sandbox_file(docker_t)
 #	virt_attach_sandbox_tun_iface(docker_t)
 	allow docker_t svirt_sandbox_domain:tun_socket relabelfrom;
-	virt_sandbox_entrypoint(docker_t)
 ')
 
 tunable_policy(`docker_connect_any',`
@@ -357,19 +321,17 @@ tunable_policy(`docker_connect_any',`
 #
 # spc local policy
 #
-allow spc_t { docker_var_lib_t docker_share_t }:file entrypoint;
+domain_entry_file(spc_t, docker_share_t)
+domain_entry_file(spc_t, docker_var_lib_t)
 role system_r types spc_t;
 
+domain_entry_file(spc_t, docker_share_t)
+domain_entry_file(spc_t, docker_var_lib_t)
 domtrans_pattern(docker_t, docker_share_t, spc_t)
 domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
 allow docker_t spc_t:process { setsched signal_perms };
 ps_process_pattern(docker_t, spc_t)
 allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
-filetrans_pattern(docker_t, docker_var_lib_t, docker_share_t, dir, "overlay")
-
-optional_policy(`
-	systemd_dbus_chat_machined(spc_t)
-')
 
 optional_policy(`
 	dbus_chat_system_bus(spc_t)
@@ -379,87 +341,67 @@ optional_policy(`
 	unconfined_domain_noaudit(spc_t)
 ')
 
+optional_policy(`
+	unconfined_domain(docker_t)
+')
+
 optional_policy(`
 	virt_transition_svirt_sandbox(spc_t, system_r)
-	virt_sandbox_entrypoint(spc_t)
 ')
 
 ########################################
 #
-# docker_auth local policy
+# docker upstream policy
 #
-allow docker_auth_t self:fifo_file rw_fifo_file_perms;
-allow docker_auth_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit docker_auth_t self:capability net_admin;
-
-docker_stream_connect(docker_auth_t)
-
-manage_dirs_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_sock_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_lnk_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-files_pid_filetrans(docker_auth_t, docker_plugin_var_run_t, { dir file lnk_file sock_file })
-
-domain_use_interactive_fds(docker_auth_t)
-
-kernel_read_net_sysctls(docker_auth_t)
-
-auth_use_nsswitch(docker_auth_t)
-
-files_read_etc_files(docker_auth_t)
-
-miscfiles_read_localization(docker_auth_t)
-
-sysnet_dns_name_resolve(docker_auth_t)
-
-########################################
-#
-# OL7.2 systemd selinux update
-# systemd_machined local policy
-#
-allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace };
-allow systemd_machined_t systemd_unit_file_t:service { status start };
-allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
-
-manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
-manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
-manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
-init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines")
-
-manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
-manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
-manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
-init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
-
-kernel_dgram_send(systemd_machined_t)
-# This is a bug, but need for now.
-kernel_read_unlabeled_state(systemd_machined_t)
-
-init_dbus_chat(systemd_machined_t)
-init_status(systemd_machined_t)
-
-userdom_dbus_send_all_users(systemd_machined_t)
-
-term_use_ptmx(systemd_machined_t)
 
 optional_policy(`
-       dbus_connect_system_bus(systemd_machined_t)
-       dbus_system_bus_client(systemd_machined_t)
+#    domain_stub_named_filetrans_domain()
+     gen_require(`
+        attribute named_filetrans_domain;
+     ')
+
+      docker_filetrans_named_content(named_filetrans_domain)
 ')
 
 optional_policy(`
-       docker_read_share_files(systemd_machined_t)
-       docker_spc_read_state(systemd_machined_t)
+    lvm_stub()
+    docker_rw_sem(lvm_t)
 ')
 
 optional_policy(`
-       virt_dbus_chat(systemd_machined_t)
-       virt_sandbox_read_state(systemd_machined_t)
-       virt_signal_sandbox(systemd_machined_t)
-       virt_stream_connect_sandbox(systemd_machined_t)
-       virt_rw_svirt_dev(systemd_machined_t)
-       virt_getattr_sandbox_filesystem(systemd_machined_t)
-       virt_read_sandbox_files(systemd_machined_t)
+    staff_stub()
+    docker_stream_connect(staff_t)
+    docker_exec(staff_t)
 ')
 
+optional_policy(`
+    virt_stub_svirt_sandbox_domain()
+    virt_stub_svirt_sandbox_file()
+    allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms;
+    docker_read_share_files(svirt_sandbox_domain)
+    docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+    docker_use_ptys(svirt_sandbox_domain)
+    docker_spc_stream_connect(svirt_sandbox_domain)
+    fs_list_tmpfs(svirt_sandbox_domain)
+    fs_rw_hugetlbfs_files(svirt_sandbox_domain)
+    fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+    dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
 
+    tunable_policy(`virt_sandbox_use_fusefs',`
+	fs_manage_fusefs_dirs(svirt_sandbox_domain)
+	fs_manage_fusefs_files(svirt_sandbox_domain)
+	fs_manage_fusefs_symlinks(svirt_sandbox_domain)
+    ')
+     gen_require(`
+        attribute domain;
+     ')
+
+     dontaudit svirt_sandbox_domain domain:key {search link};
+')
+
+optional_policy(`
+	gen_require(`
+		type pcp_pmcd_t;
+	')
+	docker_manage_lib_files(pcp_pmcd_t)
+')

hack/make/.build-rpm/docker-engine-selinux.spec

@@ -14,6 +14,9 @@ Vendor: Docker
 Packager: Docker <support@docker.com>
 
 %global selinux_policyver 3.13.1-102
+%if 0%{?oraclelinux} >= 7
+%global selinux_policyver 3.13.1-102.0.3.el7_3.15
+%endif # oraclelinux 7
 %global selinuxtype targeted
 %global moduletype  services
 %global modulenames docker

hack/make/.build-rpm/docker-engine.spec

@@ -84,9 +84,12 @@ Requires: device-mapper >= 1.02.90-2
 %if 0%{?fedora} >= 22
 %global selinux_policyver 3.13.1-128
 %endif # fedora 22
-%if 0%{?centos} >= 7 || 0%{?rhel} >= 7 || 0%{?oraclelinux} >= 7
+%if 0%{?centos} >= 7 || 0%{?rhel} >= 7
 %global selinux_policyver 3.13.1-23
-%endif # centos,oraclelinux 7
+%endif # centos,rhel 7
+%if 0%{?oraclelinux} >= 7
+%global selinux_policyver 3.13.1-102.0.3.el7_3.15
+%endif # oraclelinux 7
 %endif # with_selinux
 
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy