github.com/goern/docker@v1.9.0-rc1/contrib/docker-engine-selinux/docker.if (about) 1 2 ## <summary>The open-source application container engine.</summary> 3 4 ######################################## 5 ## <summary> 6 ## Execute docker in the docker domain. 7 ## </summary> 8 ## <param name="domain"> 9 ## <summary> 10 ## Domain allowed to transition. 11 ## </summary> 12 ## </param> 13 # 14 interface(`docker_domtrans',` 15 gen_require(` 16 type docker_t, docker_exec_t; 17 ') 18 19 corecmd_search_bin($1) 20 domtrans_pattern($1, docker_exec_t, docker_t) 21 ') 22 23 ######################################## 24 ## <summary> 25 ## Execute docker in the caller domain. 26 ## </summary> 27 ## <param name="domain"> 28 ## <summary> 29 ## Domain allowed to transition. 30 ## </summary> 31 ## </param> 32 # 33 interface(`docker_exec',` 34 gen_require(` 35 type docker_exec_t; 36 ') 37 38 corecmd_search_bin($1) 39 can_exec($1, docker_exec_t) 40 ') 41 42 ######################################## 43 ## <summary> 44 ## Search docker lib directories. 45 ## </summary> 46 ## <param name="domain"> 47 ## <summary> 48 ## Domain allowed access. 49 ## </summary> 50 ## </param> 51 # 52 interface(`docker_search_lib',` 53 gen_require(` 54 type docker_var_lib_t; 55 ') 56 57 allow $1 docker_var_lib_t:dir search_dir_perms; 58 files_search_var_lib($1) 59 ') 60 61 ######################################## 62 ## <summary> 63 ## Execute docker lib directories. 64 ## </summary> 65 ## <param name="domain"> 66 ## <summary> 67 ## Domain allowed access. 68 ## </summary> 69 ## </param> 70 # 71 interface(`docker_exec_lib',` 72 gen_require(` 73 type docker_var_lib_t; 74 ') 75 76 allow $1 docker_var_lib_t:dir search_dir_perms; 77 can_exec($1, docker_var_lib_t) 78 ') 79 80 ######################################## 81 ## <summary> 82 ## Read docker lib files. 83 ## </summary> 84 ## <param name="domain"> 85 ## <summary> 86 ## Domain allowed access. 87 ## </summary> 88 ## </param> 89 # 90 interface(`docker_read_lib_files',` 91 gen_require(` 92 type docker_var_lib_t; 93 ') 94 95 files_search_var_lib($1) 96 read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 97 ') 98 99 ######################################## 100 ## <summary> 101 ## Read docker share files. 102 ## </summary> 103 ## <param name="domain"> 104 ## <summary> 105 ## Domain allowed access. 106 ## </summary> 107 ## </param> 108 # 109 interface(`docker_read_share_files',` 110 gen_require(` 111 type docker_share_t; 112 ') 113 114 files_search_var_lib($1) 115 read_files_pattern($1, docker_share_t, docker_share_t) 116 ') 117 118 ######################################## 119 ## <summary> 120 ## Manage docker lib files. 121 ## </summary> 122 ## <param name="domain"> 123 ## <summary> 124 ## Domain allowed access. 125 ## </summary> 126 ## </param> 127 # 128 interface(`docker_manage_lib_files',` 129 gen_require(` 130 type docker_var_lib_t; 131 ') 132 133 files_search_var_lib($1) 134 manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 135 manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 136 ') 137 138 ######################################## 139 ## <summary> 140 ## Manage docker lib directories. 141 ## </summary> 142 ## <param name="domain"> 143 ## <summary> 144 ## Domain allowed access. 145 ## </summary> 146 ## </param> 147 # 148 interface(`docker_manage_lib_dirs',` 149 gen_require(` 150 type docker_var_lib_t; 151 ') 152 153 files_search_var_lib($1) 154 manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) 155 ') 156 157 ######################################## 158 ## <summary> 159 ## Create objects in a docker var lib directory 160 ## with an automatic type transition to 161 ## a specified private type. 162 ## </summary> 163 ## <param name="domain"> 164 ## <summary> 165 ## Domain allowed access. 166 ## </summary> 167 ## </param> 168 ## <param name="private_type"> 169 ## <summary> 170 ## The type of the object to create. 171 ## </summary> 172 ## </param> 173 ## <param name="object_class"> 174 ## <summary> 175 ## The class of the object to be created. 176 ## </summary> 177 ## </param> 178 ## <param name="name" optional="true"> 179 ## <summary> 180 ## The name of the object being created. 181 ## </summary> 182 ## </param> 183 # 184 interface(`docker_lib_filetrans',` 185 gen_require(` 186 type docker_var_lib_t; 187 ') 188 189 filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) 190 ') 191 192 ######################################## 193 ## <summary> 194 ## Read docker PID files. 195 ## </summary> 196 ## <param name="domain"> 197 ## <summary> 198 ## Domain allowed access. 199 ## </summary> 200 ## </param> 201 # 202 interface(`docker_read_pid_files',` 203 gen_require(` 204 type docker_var_run_t; 205 ') 206 207 files_search_pids($1) 208 read_files_pattern($1, docker_var_run_t, docker_var_run_t) 209 ') 210 211 ######################################## 212 ## <summary> 213 ## Execute docker server in the docker domain. 214 ## </summary> 215 ## <param name="domain"> 216 ## <summary> 217 ## Domain allowed to transition. 218 ## </summary> 219 ## </param> 220 # 221 interface(`docker_systemctl',` 222 gen_require(` 223 type docker_t; 224 type docker_unit_file_t; 225 ') 226 227 systemd_exec_systemctl($1) 228 init_reload_services($1) 229 systemd_read_fifo_file_passwd_run($1) 230 allow $1 docker_unit_file_t:file read_file_perms; 231 allow $1 docker_unit_file_t:service manage_service_perms; 232 233 ps_process_pattern($1, docker_t) 234 ') 235 236 ######################################## 237 ## <summary> 238 ## Read and write docker shared memory. 239 ## </summary> 240 ## <param name="domain"> 241 ## <summary> 242 ## Domain allowed access. 243 ## </summary> 244 ## </param> 245 # 246 interface(`docker_rw_sem',` 247 gen_require(` 248 type docker_t; 249 ') 250 251 allow $1 docker_t:sem rw_sem_perms; 252 ') 253 254 ####################################### 255 ## <summary> 256 ## Read and write the docker pty type. 257 ## </summary> 258 ## <param name="domain"> 259 ## <summary> 260 ## Domain allowed access. 261 ## </summary> 262 ## </param> 263 # 264 interface(`docker_use_ptys',` 265 gen_require(` 266 type docker_devpts_t; 267 ') 268 269 allow $1 docker_devpts_t:chr_file rw_term_perms; 270 ') 271 272 ####################################### 273 ## <summary> 274 ## Allow domain to create docker content 275 ## </summary> 276 ## <param name="domain"> 277 ## <summary> 278 ## Domain allowed access. 279 ## </summary> 280 ## </param> 281 # 282 interface(`docker_filetrans_named_content',` 283 284 gen_require(` 285 type docker_var_lib_t; 286 type docker_share_t; 287 type docker_log_t; 288 type docker_var_run_t; 289 type docker_home_t; 290 ') 291 292 files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") 293 files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") 294 files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") 295 logging_log_filetrans($1, docker_log_t, dir, "lxc") 296 files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") 297 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") 298 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") 299 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") 300 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") 301 filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") 302 userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") 303 ') 304 305 ######################################## 306 ## <summary> 307 ## Connect to docker over a unix stream socket. 308 ## </summary> 309 ## <param name="domain"> 310 ## <summary> 311 ## Domain allowed access. 312 ## </summary> 313 ## </param> 314 # 315 interface(`docker_stream_connect',` 316 gen_require(` 317 type docker_t, docker_var_run_t; 318 ') 319 320 files_search_pids($1) 321 stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) 322 ') 323 324 ######################################## 325 ## <summary> 326 ## Connect to SPC containers over a unix stream socket. 327 ## </summary> 328 ## <param name="domain"> 329 ## <summary> 330 ## Domain allowed access. 331 ## </summary> 332 ## </param> 333 # 334 interface(`docker_spc_stream_connect',` 335 gen_require(` 336 type spc_t, spc_var_run_t; 337 ') 338 339 files_search_pids($1) 340 files_write_all_pid_sockets($1) 341 allow $1 spc_t:unix_stream_socket connectto; 342 ') 343 344 345 ######################################## 346 ## <summary> 347 ## All of the rules required to administrate 348 ## an docker environment 349 ## </summary> 350 ## <param name="domain"> 351 ## <summary> 352 ## Domain allowed access. 353 ## </summary> 354 ## </param> 355 # 356 interface(`docker_admin',` 357 gen_require(` 358 type docker_t; 359 type docker_var_lib_t, docker_var_run_t; 360 type docker_unit_file_t; 361 type docker_lock_t; 362 type docker_log_t; 363 type docker_config_t; 364 ') 365 366 allow $1 docker_t:process { ptrace signal_perms }; 367 ps_process_pattern($1, docker_t) 368 369 admin_pattern($1, docker_config_t) 370 371 files_search_var_lib($1) 372 admin_pattern($1, docker_var_lib_t) 373 374 files_search_pids($1) 375 admin_pattern($1, docker_var_run_t) 376 377 files_search_locks($1) 378 admin_pattern($1, docker_lock_t) 379 380 logging_search_logs($1) 381 admin_pattern($1, docker_log_t) 382 383 docker_systemctl($1) 384 admin_pattern($1, docker_unit_file_t) 385 allow $1 docker_unit_file_t:service all_service_perms; 386 387 optional_policy(` 388 systemd_passwd_agent_exec($1) 389 systemd_read_fifo_file_passwd_run($1) 390 ') 391 ') 392 393 interface(`domain_stub_named_filetrans_domain',` 394 gen_require(` 395 attribute named_filetrans_domain; 396 ') 397 ') 398 399 interface(`lvm_stub',` 400 gen_require(` 401 type lvm_t; 402 ') 403 ') 404 interface(`staff_stub',` 405 gen_require(` 406 type staff_t; 407 ') 408 ') 409 interface(`virt_stub_lxc',` 410 gen_require(` 411 type virtd_lxc_t; 412 ') 413 ') 414 interface(`virt_stub_svirt_sandbox_domain',` 415 gen_require(` 416 attribute svirt_sandbox_domain; 417 ') 418 ') 419 interface(`virt_stub_svirt_sandbox_file',` 420 gen_require(` 421 type svirt_sandbox_file_t; 422 ') 423 ') 424 interface(`fs_dontaudit_remount_tmpfs',` 425 gen_require(` 426 type tmpfs_t; 427 ') 428 429 dontaudit $1 tmpfs_t:filesystem remount; 430 ') 431 interface(`dev_dontaudit_list_all_dev_nodes',` 432 gen_require(` 433 type device_t; 434 ') 435 436 dontaudit $1 device_t:dir list_dir_perms; 437 ') 438 interface(`kernel_unlabeled_entry_type',` 439 gen_require(` 440 type unlabeled_t; 441 ') 442 443 domain_entry_file($1, unlabeled_t) 444 ') 445 interface(`kernel_unlabeled_domtrans',` 446 gen_require(` 447 type unlabeled_t; 448 ') 449 450 read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) 451 domain_transition_pattern($1, unlabeled_t, $2) 452 type_transition $1 unlabeled_t:process $2; 453 ') 454 interface(`files_write_all_pid_sockets',` 455 gen_require(` 456 attribute pidfile; 457 ') 458 459 allow $1 pidfile:sock_file write_sock_file_perms; 460 ') 461 interface(`dev_dontaudit_mounton_sysfs',` 462 gen_require(` 463 type sysfs_t; 464 ') 465 466 dontaudit $1 sysfs_t:dir mounton; 467 ')