nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
242e371ac2
selinux-refpolicy/policy/modules/services/docker.if
Kenton Groombridge 70836481d0 docker: make rootlesskit optional 
Avoid a potential build error and circular dependency by making
rootlesskit optional. Note that rootlesskit is still required in order
for rootless docker to function.

Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-01-24 17:39:10 -05:00

238 lines
4.5 KiB
Plaintext
Raw Blame History

## <summary>Policy for docker</summary>
########################################
## <summary>
## Execute docker CLI in the docker CLI domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_domtrans_cli',`
gen_require(`
type dockerc_t, dockerc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dockerc_exec_t, dockerc_t)
')
########################################
## <summary>
## Execute docker CLI in the docker CLI
## domain, and allow the specified role
## the docker CLI domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the docker domain.
## </summary>
## </param>
#
interface(`docker_run_cli',`
gen_require(`
type dockerc_t;
')
role $2 types dockerc_t;
docker_domtrans_cli($1)
')
########################################
## <summary>
## Execute docker in the docker user domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_domtrans_user_daemon',`
gen_require(`
type dockerd_user_t, dockerd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dockerd_exec_t, dockerd_user_t)
')
########################################
## <summary>
## Execute docker in the docker user
## domain, and allow the specified
## role the docker user domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the docker domain.
## </summary>
## </param>
#
interface(`docker_run_user_daemon',`
gen_require(`
type dockerd_user_t;
')
role $2 types dockerd_user_t;
docker_domtrans_user_daemon($1)
')
########################################
## <summary>
## Execute docker CLI in the docker CLI
## user domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_domtrans_user_cli',`
gen_require(`
type dockerc_user_t, dockerc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dockerc_exec_t, dockerc_user_t)
')
########################################
## <summary>
## Execute docker CLI in the docker CLI
## user domain, and allow the specified
## role the docker CLI user domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the docker
## user domain.
## </summary>
## </param>
#
interface(`docker_run_user_cli',`
gen_require(`
type dockerc_user_t;
')
role $2 types dockerc_user_t;
docker_domtrans_user_cli($1)
')
########################################
## <summary>
## Role access for rootless docker.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., user
## is the prefix for user_r).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
## <param name="user_exec_domain">
## <summary>
## User exec domain for execute and transition access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
template(`docker_user_role',`
gen_require(`
type dockerd_user_t;
type dockerd_exec_t;
')
role $4 types dockerd_user_t;
docker_run_user_daemon($3, $4)
docker_run_user_cli($3, $4)
ifdef(`init_systemd',`
systemd_user_daemon_domain($1, dockerd_exec_t, dockerd_user_t)
systemd_user_send_systemd_notify($1, dockerd_user_t)
')
optional_policy(`
dbus_spec_session_bus_client($1, dockerd_user_t)
')
optional_policy(`
rootlesskit_role($1, $2, $3, $4)
')
')
########################################
## <summary>
## Send signals to the rootless docker daemon.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_signal_user_daemon',`
gen_require(`
type dockerd_user_t;
')
allow $1 dockerd_user_t:process signal;
')
########################################
## <summary>
## All of the rules required to
## administrate a docker
## environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`docker_admin',`
docker_run_cli($1, $2)
optional_policy(`
rootlesskit_run($1, $2)
')
')
Reference in New Issue View Git Blame Copy Permalink