github.com/hms58/moby@v1.13.1/contrib/selinux-fedora-24/docker-engine-selinux/docker.if (about) 1 2 ## <summary>The open-source application container engine.</summary> 3 4 ######################################## 5 ## <summary> 6 ## Execute docker in the docker domain. 7 ## </summary> 8 ## <param name="domain"> 9 ## <summary> 10 ## Domain allowed to transition. 11 ## </summary> 12 ## </param> 13 # 14 interface(`docker_domtrans',` 15 gen_require(` 16 type docker_t, docker_exec_t; 17 ') 18 19 corecmd_search_bin($1) 20 domtrans_pattern($1, docker_exec_t, docker_t) 21 ') 22 23 ######################################## 24 ## <summary> 25 ## Execute docker in the caller domain. 26 ## </summary> 27 ## <param name="domain"> 28 ## <summary> 29 ## Domain allowed to transition. 30 ## </summary> 31 ## </param> 32 # 33 interface(`docker_exec',` 34 gen_require(` 35 type docker_exec_t; 36 ') 37 38 corecmd_search_bin($1) 39 can_exec($1, docker_exec_t) 40 ') 41 42 ######################################## 43 ## <summary> 44 ## Search docker lib directories. 45 ## </summary> 46 ## <param name="domain"> 47 ## <summary> 48 ## Domain allowed access. 49 ## </summary> 50 ## </param> 51 # 52 interface(`docker_search_lib',` 53 gen_require(` 54 type docker_var_lib_t; 55 ') 56 57 allow $1 docker_var_lib_t:dir search_dir_perms; 58 files_search_var_lib($1) 59 ') 60 61 ######################################## 62 ## <summary> 63 ## Execute docker lib directories. 64 ## </summary> 65 ## <param name="domain"> 66 ## <summary> 67 ## Domain allowed access. 68 ## </summary> 69 ## </param> 70 # 71 interface(`docker_exec_lib',` 72 gen_require(` 73 type docker_var_lib_t; 74 ') 75 76 allow $1 docker_var_lib_t:dir search_dir_perms; 77 can_exec($1, docker_var_lib_t) 78 ') 79 80 ######################################## 81 ## <summary> 82 ## Read docker lib files. 83 ## </summary> 84 ## <param name="domain"> 85 ## <summary> 86 ## Domain allowed access. 87 ## </summary> 88 ## </param> 89 # 90 interface(`docker_read_lib_files',` 91 gen_require(` 92 type docker_var_lib_t; 93 ') 94 95 files_search_var_lib($1) 96 read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 97 ') 98 99 ######################################## 100 ## <summary> 101 ## Read docker share files. 102 ## </summary> 103 ## <param name="domain"> 104 ## <summary> 105 ## Domain allowed access. 106 ## </summary> 107 ## </param> 108 # 109 interface(`docker_read_share_files',` 110 gen_require(` 111 type docker_share_t; 112 ') 113 114 files_search_var_lib($1) 115 list_dirs_pattern($1, docker_share_t, docker_share_t) 116 read_files_pattern($1, docker_share_t, docker_share_t) 117 read_lnk_files_pattern($1, docker_share_t, docker_share_t) 118 ') 119 120 ###################################### 121 ## <summary> 122 ## Allow the specified domain to execute apache 123 ## in the caller domain. 124 ## </summary> 125 ## <param name="domain"> 126 ## <summary> 127 ## Domain allowed access. 128 ## </summary> 129 ## </param> 130 # 131 interface(`apache_exec',` 132 gen_require(` 133 type httpd_exec_t; 134 ') 135 136 can_exec($1, httpd_exec_t) 137 ') 138 139 ###################################### 140 ## <summary> 141 ## Allow the specified domain to execute docker shared files 142 ## in the caller domain. 143 ## </summary> 144 ## <param name="domain"> 145 ## <summary> 146 ## Domain allowed access. 147 ## </summary> 148 ## </param> 149 # 150 interface(`docker_exec_share_files',` 151 gen_require(` 152 type docker_share_t; 153 ') 154 155 can_exec($1, docker_share_t) 156 ') 157 158 ######################################## 159 ## <summary> 160 ## Manage docker lib files. 161 ## </summary> 162 ## <param name="domain"> 163 ## <summary> 164 ## Domain allowed access. 165 ## </summary> 166 ## </param> 167 # 168 interface(`docker_manage_lib_files',` 169 gen_require(` 170 type docker_var_lib_t; 171 ') 172 173 files_search_var_lib($1) 174 manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 175 manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 176 ') 177 178 ######################################## 179 ## <summary> 180 ## Manage docker lib directories. 181 ## </summary> 182 ## <param name="domain"> 183 ## <summary> 184 ## Domain allowed access. 185 ## </summary> 186 ## </param> 187 # 188 interface(`docker_manage_lib_dirs',` 189 gen_require(` 190 type docker_var_lib_t; 191 ') 192 193 files_search_var_lib($1) 194 manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) 195 ') 196 197 ######################################## 198 ## <summary> 199 ## Create objects in a docker var lib directory 200 ## with an automatic type transition to 201 ## a specified private type. 202 ## </summary> 203 ## <param name="domain"> 204 ## <summary> 205 ## Domain allowed access. 206 ## </summary> 207 ## </param> 208 ## <param name="private_type"> 209 ## <summary> 210 ## The type of the object to create. 211 ## </summary> 212 ## </param> 213 ## <param name="object_class"> 214 ## <summary> 215 ## The class of the object to be created. 216 ## </summary> 217 ## </param> 218 ## <param name="name" optional="true"> 219 ## <summary> 220 ## The name of the object being created. 221 ## </summary> 222 ## </param> 223 # 224 interface(`docker_lib_filetrans',` 225 gen_require(` 226 type docker_var_lib_t; 227 ') 228 229 filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) 230 ') 231 232 ######################################## 233 ## <summary> 234 ## Read docker PID files. 235 ## </summary> 236 ## <param name="domain"> 237 ## <summary> 238 ## Domain allowed access. 239 ## </summary> 240 ## </param> 241 # 242 interface(`docker_read_pid_files',` 243 gen_require(` 244 type docker_var_run_t; 245 ') 246 247 files_search_pids($1) 248 read_files_pattern($1, docker_var_run_t, docker_var_run_t) 249 ') 250 251 ######################################## 252 ## <summary> 253 ## Execute docker server in the docker domain. 254 ## </summary> 255 ## <param name="domain"> 256 ## <summary> 257 ## Domain allowed to transition. 258 ## </summary> 259 ## </param> 260 # 261 interface(`docker_systemctl',` 262 gen_require(` 263 type docker_t; 264 type docker_unit_file_t; 265 ') 266 267 systemd_exec_systemctl($1) 268 init_reload_services($1) 269 systemd_read_fifo_file_passwd_run($1) 270 allow $1 docker_unit_file_t:file read_file_perms; 271 allow $1 docker_unit_file_t:service manage_service_perms; 272 273 ps_process_pattern($1, docker_t) 274 ') 275 276 ######################################## 277 ## <summary> 278 ## Read and write docker shared memory. 279 ## </summary> 280 ## <param name="domain"> 281 ## <summary> 282 ## Domain allowed access. 283 ## </summary> 284 ## </param> 285 # 286 interface(`docker_rw_sem',` 287 gen_require(` 288 type docker_t; 289 ') 290 291 allow $1 docker_t:sem rw_sem_perms; 292 ') 293 294 ####################################### 295 ## <summary> 296 ## Read and write the docker pty type. 297 ## </summary> 298 ## <param name="domain"> 299 ## <summary> 300 ## Domain allowed access. 301 ## </summary> 302 ## </param> 303 # 304 interface(`docker_use_ptys',` 305 gen_require(` 306 type docker_devpts_t; 307 ') 308 309 allow $1 docker_devpts_t:chr_file rw_term_perms; 310 ') 311 312 ####################################### 313 ## <summary> 314 ## Allow domain to create docker content 315 ## </summary> 316 ## <param name="domain"> 317 ## <summary> 318 ## Domain allowed access. 319 ## </summary> 320 ## </param> 321 # 322 interface(`docker_filetrans_named_content',` 323 324 gen_require(` 325 type docker_var_lib_t; 326 type docker_share_t; 327 type docker_log_t; 328 type docker_var_run_t; 329 type docker_home_t; 330 ') 331 332 files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") 333 files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") 334 files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") 335 logging_log_filetrans($1, docker_log_t, dir, "lxc") 336 files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") 337 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") 338 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") 339 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") 340 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") 341 filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") 342 userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") 343 ') 344 345 ######################################## 346 ## <summary> 347 ## Connect to docker over a unix stream socket. 348 ## </summary> 349 ## <param name="domain"> 350 ## <summary> 351 ## Domain allowed access. 352 ## </summary> 353 ## </param> 354 # 355 interface(`docker_stream_connect',` 356 gen_require(` 357 type docker_t, docker_var_run_t; 358 ') 359 360 files_search_pids($1) 361 stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) 362 ') 363 364 ######################################## 365 ## <summary> 366 ## Connect to SPC containers over a unix stream socket. 367 ## </summary> 368 ## <param name="domain"> 369 ## <summary> 370 ## Domain allowed access. 371 ## </summary> 372 ## </param> 373 # 374 interface(`docker_spc_stream_connect',` 375 gen_require(` 376 type spc_t, spc_var_run_t; 377 ') 378 379 files_search_pids($1) 380 files_write_all_pid_sockets($1) 381 allow $1 spc_t:unix_stream_socket connectto; 382 ') 383 384 ######################################## 385 ## <summary> 386 ## All of the rules required to administrate 387 ## an docker environment 388 ## </summary> 389 ## <param name="domain"> 390 ## <summary> 391 ## Domain allowed access. 392 ## </summary> 393 ## </param> 394 # 395 interface(`docker_admin',` 396 gen_require(` 397 type docker_t; 398 type docker_var_lib_t, docker_var_run_t; 399 type docker_unit_file_t; 400 type docker_lock_t; 401 type docker_log_t; 402 type docker_config_t; 403 ') 404 405 allow $1 docker_t:process { ptrace signal_perms }; 406 ps_process_pattern($1, docker_t) 407 408 admin_pattern($1, docker_config_t) 409 410 files_search_var_lib($1) 411 admin_pattern($1, docker_var_lib_t) 412 413 files_search_pids($1) 414 admin_pattern($1, docker_var_run_t) 415 416 files_search_locks($1) 417 admin_pattern($1, docker_lock_t) 418 419 logging_search_logs($1) 420 admin_pattern($1, docker_log_t) 421 422 docker_systemctl($1) 423 admin_pattern($1, docker_unit_file_t) 424 allow $1 docker_unit_file_t:service all_service_perms; 425 426 optional_policy(` 427 systemd_passwd_agent_exec($1) 428 systemd_read_fifo_file_passwd_run($1) 429 ') 430 ') 431 432 ######################################## 433 ## <summary> 434 ## Execute docker_auth_exec_t in the docker_auth domain. 435 ## </summary> 436 ## <param name="domain"> 437 ## <summary> 438 ## Domain allowed to transition. 439 ## </summary> 440 ## </param> 441 # 442 interface(`docker_auth_domtrans',` 443 gen_require(` 444 type docker_auth_t, docker_auth_exec_t; 445 ') 446 447 corecmd_search_bin($1) 448 domtrans_pattern($1, docker_auth_exec_t, docker_auth_t) 449 ') 450 451 ###################################### 452 ## <summary> 453 ## Execute docker_auth in the caller domain. 454 ## </summary> 455 ## <param name="domain"> 456 ## <summary> 457 ## Domain allowed access. 458 ## </summary> 459 ## </param> 460 # 461 interface(`docker_auth_exec',` 462 gen_require(` 463 type docker_auth_exec_t; 464 ') 465 466 corecmd_search_bin($1) 467 can_exec($1, docker_auth_exec_t) 468 ') 469 470 ######################################## 471 ## <summary> 472 ## Connect to docker_auth over a unix stream socket. 473 ## </summary> 474 ## <param name="domain"> 475 ## <summary> 476 ## Domain allowed access. 477 ## </summary> 478 ## </param> 479 # 480 interface(`docker_auth_stream_connect',` 481 gen_require(` 482 type docker_auth_t, docker_plugin_var_run_t; 483 ') 484 485 files_search_pids($1) 486 stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t) 487 ') 488 489 ######################################## 490 ## <summary> 491 ## docker domain typebounds calling domain. 492 ## </summary> 493 ## <param name="domain"> 494 ## <summary> 495 ## Domain to be typebound. 496 ## </summary> 497 ## </param> 498 # 499 interface(`docker_typebounds',` 500 gen_require(` 501 type docker_t; 502 ') 503 504 typebounds docker_t $1; 505 ') 506 507 ######################################## 508 ## <summary> 509 ## Allow any docker_exec_t to be an entrypoint of this domain 510 ## </summary> 511 ## <param name="domain"> 512 ## <summary> 513 ## Domain allowed access. 514 ## </summary> 515 ## </param> 516 ## <rolecap/> 517 # 518 interface(`docker_entrypoint',` 519 gen_require(` 520 type docker_exec_t; 521 ') 522 allow $1 docker_exec_t:file entrypoint; 523 ')