mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
32b1f26c51
This adds the ability to have different profiles for individual distros
and versions of the distro because they all ship with and depend on
different versions of policy packages.
The `selinux` dir contains the unmodified policy that is being used
today. The `selinux-fedora` dir contains the new policy for fedora 24
with the changes for it to compile and work on the system.
The fedora policy is from commit
4a6ce94da5
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
523 lines
11 KiB
Text
523 lines
11 KiB
Text
|
|
## <summary>The open-source application container engine.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute docker in the docker domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_domtrans',`
|
|
gen_require(`
|
|
type docker_t, docker_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, docker_exec_t, docker_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute docker in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_exec',`
|
|
gen_require(`
|
|
type docker_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, docker_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search docker lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_search_lib',`
|
|
gen_require(`
|
|
type docker_var_lib_t;
|
|
')
|
|
|
|
allow $1 docker_var_lib_t:dir search_dir_perms;
|
|
files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute docker lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_exec_lib',`
|
|
gen_require(`
|
|
type docker_var_lib_t;
|
|
')
|
|
|
|
allow $1 docker_var_lib_t:dir search_dir_perms;
|
|
can_exec($1, docker_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read docker lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_read_lib_files',`
|
|
gen_require(`
|
|
type docker_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read docker share files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_read_share_files',`
|
|
gen_require(`
|
|
type docker_share_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
list_dirs_pattern($1, docker_share_t, docker_share_t)
|
|
read_files_pattern($1, docker_share_t, docker_share_t)
|
|
read_lnk_files_pattern($1, docker_share_t, docker_share_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to execute apache
|
|
## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_exec',`
|
|
gen_require(`
|
|
type httpd_exec_t;
|
|
')
|
|
|
|
can_exec($1, httpd_exec_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Allow the specified domain to execute docker shared files
|
|
## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_exec_share_files',`
|
|
gen_require(`
|
|
type docker_share_t;
|
|
')
|
|
|
|
can_exec($1, docker_share_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage docker lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_manage_lib_files',`
|
|
gen_require(`
|
|
type docker_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
|
manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage docker lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_manage_lib_dirs',`
|
|
gen_require(`
|
|
type docker_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create objects in a docker var lib directory
|
|
## with an automatic type transition to
|
|
## a specified private type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="private_type">
|
|
## <summary>
|
|
## The type of the object to create.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="object_class">
|
|
## <summary>
|
|
## The class of the object to be created.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="name" optional="true">
|
|
## <summary>
|
|
## The name of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_lib_filetrans',`
|
|
gen_require(`
|
|
type docker_var_lib_t;
|
|
')
|
|
|
|
filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read docker PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_read_pid_files',`
|
|
gen_require(`
|
|
type docker_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
read_files_pattern($1, docker_var_run_t, docker_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute docker server in the docker domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_systemctl',`
|
|
gen_require(`
|
|
type docker_t;
|
|
type docker_unit_file_t;
|
|
')
|
|
|
|
systemd_exec_systemctl($1)
|
|
init_reload_services($1)
|
|
systemd_read_fifo_file_passwd_run($1)
|
|
allow $1 docker_unit_file_t:file read_file_perms;
|
|
allow $1 docker_unit_file_t:service manage_service_perms;
|
|
|
|
ps_process_pattern($1, docker_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write docker shared memory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_rw_sem',`
|
|
gen_require(`
|
|
type docker_t;
|
|
')
|
|
|
|
allow $1 docker_t:sem rw_sem_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Read and write the docker pty type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_use_ptys',`
|
|
gen_require(`
|
|
type docker_devpts_t;
|
|
')
|
|
|
|
allow $1 docker_devpts_t:chr_file rw_term_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Allow domain to create docker content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_filetrans_named_content',`
|
|
|
|
gen_require(`
|
|
type docker_var_lib_t;
|
|
type docker_share_t;
|
|
type docker_log_t;
|
|
type docker_var_run_t;
|
|
type docker_home_t;
|
|
')
|
|
|
|
files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
|
|
files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
|
|
files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
|
|
logging_log_filetrans($1, docker_log_t, dir, "lxc")
|
|
files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
|
|
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
|
|
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
|
|
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
|
|
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
|
|
filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
|
|
userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to docker over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_stream_connect',`
|
|
gen_require(`
|
|
type docker_t, docker_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to SPC containers over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_spc_stream_connect',`
|
|
gen_require(`
|
|
type spc_t, spc_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
files_write_all_pid_sockets($1)
|
|
allow $1 spc_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an docker environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_admin',`
|
|
gen_require(`
|
|
type docker_t;
|
|
type docker_var_lib_t, docker_var_run_t;
|
|
type docker_unit_file_t;
|
|
type docker_lock_t;
|
|
type docker_log_t;
|
|
type docker_config_t;
|
|
')
|
|
|
|
allow $1 docker_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, docker_t)
|
|
|
|
admin_pattern($1, docker_config_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, docker_var_lib_t)
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, docker_var_run_t)
|
|
|
|
files_search_locks($1)
|
|
admin_pattern($1, docker_lock_t)
|
|
|
|
logging_search_logs($1)
|
|
admin_pattern($1, docker_log_t)
|
|
|
|
docker_systemctl($1)
|
|
admin_pattern($1, docker_unit_file_t)
|
|
allow $1 docker_unit_file_t:service all_service_perms;
|
|
|
|
optional_policy(`
|
|
systemd_passwd_agent_exec($1)
|
|
systemd_read_fifo_file_passwd_run($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute docker_auth_exec_t in the docker_auth domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_auth_domtrans',`
|
|
gen_require(`
|
|
type docker_auth_t, docker_auth_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Execute docker_auth in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_auth_exec',`
|
|
gen_require(`
|
|
type docker_auth_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, docker_auth_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to docker_auth over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_auth_stream_connect',`
|
|
gen_require(`
|
|
type docker_auth_t, docker_plugin_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## docker domain typebounds calling domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to be typebound.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`docker_typebounds',`
|
|
gen_require(`
|
|
type docker_t;
|
|
')
|
|
|
|
typebounds docker_t $1;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow any docker_exec_t to be an entrypoint of this domain
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`docker_entrypoint',`
|
|
gen_require(`
|
|
type docker_exec_t;
|
|
')
|
|
allow $1 docker_exec_t:file entrypoint;
|
|
')
|