d47cc12801
Signed-off-by: Kenton Groombridge <me@concord.sh>
171 lines
4.5 KiB
Plaintext
171 lines
4.5 KiB
Plaintext
policy_module(docker)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
container_engine_domain_template(dockerd)
|
|
container_system_engine(dockerd_t)
|
|
type dockerd_exec_t;
|
|
container_engine_executable_file(dockerd_exec_t)
|
|
application_domain(dockerd_t, dockerd_exec_t)
|
|
init_daemon_domain(dockerd_t, dockerd_exec_t)
|
|
ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(dockerd_t, dockerd_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
mls_trusted_object(dockerd_t)
|
|
|
|
type dockerc_t;
|
|
type dockerc_exec_t;
|
|
container_engine_executable_file(dockerc_t)
|
|
application_domain(dockerc_t, dockerc_exec_t)
|
|
|
|
container_engine_domain_template(dockerd_user)
|
|
container_user_engine(dockerd_user_t)
|
|
application_domain(dockerd_user_t, dockerd_exec_t)
|
|
mls_trusted_object(dockerd_user_t)
|
|
|
|
type dockerc_user_t;
|
|
application_domain(dockerc_user_t, dockerc_exec_t)
|
|
|
|
########################################
|
|
#
|
|
# Docker daemon local policy
|
|
#
|
|
|
|
allow dockerd_t self:netlink_netfilter_socket create_socket_perms;
|
|
allow dockerd_t self:netlink_xfrm_socket create_socket_perms;
|
|
|
|
init_write_runtime_socket(dockerd_t)
|
|
container_runtime_named_socket_activation(dockerd_t)
|
|
|
|
# docker fails to start if /proc/kallsyms is unreadable,
|
|
# but only when btrfs support is disabled
|
|
files_read_kernel_symbol_table(dockerd_t)
|
|
files_dontaudit_write_usr_dirs(dockerd_t)
|
|
|
|
kernel_relabelfrom_unlabeled_dirs(dockerd_t)
|
|
# docker wants to load binfmt_misc
|
|
kernel_request_load_module(dockerd_t)
|
|
kernel_dontaudit_search_fs_sysctls(dockerd_t)
|
|
|
|
logging_send_syslog_msg(dockerd_t)
|
|
|
|
container_stream_connect_system_containers(dockerd_t)
|
|
|
|
# docker manages key.json in /etc/docker
|
|
container_manage_config_files(dockerd_t)
|
|
|
|
# In btrfs mode, docker creates subvolumes which are unlabeled
|
|
# in /var/lib/docker/btrfs/subvolumes. The files inside will
|
|
# become labeled with a file transition, but the subvolume
|
|
# root will always be unlabeled.
|
|
container_unlabeled_var_lib_filetrans(dockerd_t, dir)
|
|
|
|
ifdef(`init_systemd',`
|
|
init_dbus_chat(dockerd_t)
|
|
init_get_transient_units_status(dockerd_t)
|
|
init_start_transient_units(dockerd_t)
|
|
init_start_system(dockerd_t)
|
|
init_stop_system(dockerd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Docker CLI local policy
|
|
#
|
|
|
|
allow dockerc_t self:process { getsched signal };
|
|
allow dockerc_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow dockerc_t dockerd_t:unix_stream_socket connectto;
|
|
|
|
corecmd_dontaudit_search_bin(dockerc_t)
|
|
|
|
domain_use_interactive_fds(dockerc_t)
|
|
|
|
auth_use_nsswitch(dockerc_t)
|
|
|
|
miscfiles_read_localization(dockerc_t)
|
|
|
|
userdom_use_user_ptys(dockerc_t)
|
|
|
|
container_stream_connect_system_containers(dockerc_t)
|
|
|
|
########################################
|
|
#
|
|
# Rootless Docker daemon local policy
|
|
#
|
|
|
|
# rootless docker is really just docker running as root, but in a user namespace
|
|
|
|
allow dockerd_user_t self:netlink_netfilter_socket create_socket_perms;
|
|
allow dockerd_user_t self:netlink_xfrm_socket create_socket_perms;
|
|
|
|
fs_getattr_fusefs(dockerd_user_t)
|
|
fs_mount_fusefs(dockerd_user_t)
|
|
fs_unmount_fusefs(dockerd_user_t)
|
|
fs_remount_fusefs(dockerd_user_t)
|
|
fs_manage_fusefs_dirs(dockerd_user_t)
|
|
fs_manage_fusefs_files(dockerd_user_t)
|
|
fs_manage_fusefs_symlinks(dockerd_user_t)
|
|
fs_exec_fusefs_files(dockerd_user_t)
|
|
fs_mounton_fusefs(dockerd_user_t)
|
|
|
|
kernel_dontaudit_request_load_module(dockerd_user_t)
|
|
|
|
storage_rw_fuse(dockerd_user_t)
|
|
|
|
init_write_runtime_socket(dockerd_user_t)
|
|
|
|
logging_send_syslog_msg(dockerd_user_t)
|
|
|
|
mount_exec(dockerd_user_t)
|
|
|
|
container_setattr_container_ptys(dockerd_user_t)
|
|
container_use_container_ptys(dockerd_user_t)
|
|
|
|
ifdef(`init_systemd',`
|
|
systemd_search_user_runtime(dockerd_user_t)
|
|
systemd_write_user_runtime_socket(dockerd_user_t)
|
|
systemd_start_user_runtime_units(dockerd_user_t)
|
|
systemd_stop_user_runtime_units(dockerd_user_t)
|
|
systemd_status_user_runtime_units(dockerd_user_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_getattr_session_runtime_socket(dockerd_user_t)
|
|
dbus_write_session_runtime_socket(dockerd_user_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rootlesskit_exec(dockerd_user_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Rootless Docker CLI local policy
|
|
#
|
|
|
|
allow dockerc_user_t self:process { getsched signal };
|
|
allow dockerc_user_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow dockerc_user_t dockerd_user_t:unix_stream_socket connectto;
|
|
|
|
corecmd_search_bin(dockerc_user_t)
|
|
|
|
domain_use_interactive_fds(dockerc_user_t)
|
|
|
|
auth_use_nsswitch(dockerc_user_t)
|
|
|
|
miscfiles_read_localization(dockerc_user_t)
|
|
|
|
userdom_use_user_ptys(dockerc_user_t)
|
|
userdom_search_user_home_dirs(dockerc_user_t)
|
|
userdom_search_user_runtime(dockerc_user_t)
|
|
|
|
xdg_search_data_dirs(dockerc_user_t)
|
|
|
|
container_stream_connect_user_containers(dockerc_user_t)
|