github.com/jen20/docker@v1.13.1/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.if (about) 1 2 ## <summary>The open-source application container engine.</summary> 3 4 ######################################## 5 ## <summary> 6 ## Execute docker in the docker domain. 7 ## </summary> 8 ## <param name="domain"> 9 ## <summary> 10 ## Domain allowed to transition. 11 ## </summary> 12 ## </param> 13 # 14 interface(`docker_domtrans',` 15 gen_require(` 16 type docker_t, docker_exec_t; 17 ') 18 19 corecmd_search_bin($1) 20 domtrans_pattern($1, docker_exec_t, docker_t) 21 ') 22 23 ######################################## 24 ## <summary> 25 ## Execute docker in the caller domain. 26 ## </summary> 27 ## <param name="domain"> 28 ## <summary> 29 ## Domain allowed to transition. 30 ## </summary> 31 ## </param> 32 # 33 interface(`docker_exec',` 34 gen_require(` 35 type docker_exec_t; 36 ') 37 38 corecmd_search_bin($1) 39 can_exec($1, docker_exec_t) 40 ') 41 42 ######################################## 43 ## <summary> 44 ## Search docker lib directories. 45 ## </summary> 46 ## <param name="domain"> 47 ## <summary> 48 ## Domain allowed access. 49 ## </summary> 50 ## </param> 51 # 52 interface(`docker_search_lib',` 53 gen_require(` 54 type docker_var_lib_t; 55 ') 56 57 allow $1 docker_var_lib_t:dir search_dir_perms; 58 files_search_var_lib($1) 59 ') 60 61 ######################################## 62 ## <summary> 63 ## Execute docker lib directories. 64 ## </summary> 65 ## <param name="domain"> 66 ## <summary> 67 ## Domain allowed access. 68 ## </summary> 69 ## </param> 70 # 71 interface(`docker_exec_lib',` 72 gen_require(` 73 type docker_var_lib_t; 74 ') 75 76 allow $1 docker_var_lib_t:dir search_dir_perms; 77 can_exec($1, docker_var_lib_t) 78 ') 79 80 ######################################## 81 ## <summary> 82 ## Read docker lib files. 83 ## </summary> 84 ## <param name="domain"> 85 ## <summary> 86 ## Domain allowed access. 87 ## </summary> 88 ## </param> 89 # 90 interface(`docker_read_lib_files',` 91 gen_require(` 92 type docker_var_lib_t; 93 ') 94 95 files_search_var_lib($1) 96 read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 97 ') 98 99 ######################################## 100 ## <summary> 101 ## Read docker share files. 102 ## </summary> 103 ## <param name="domain"> 104 ## <summary> 105 ## Domain allowed access. 106 ## </summary> 107 ## </param> 108 # 109 interface(`docker_read_share_files',` 110 gen_require(` 111 type docker_share_t; 112 ') 113 114 files_search_var_lib($1) 115 list_dirs_pattern($1, docker_share_t, docker_share_t) 116 read_files_pattern($1, docker_share_t, docker_share_t) 117 read_lnk_files_pattern($1, docker_share_t, docker_share_t) 118 ') 119 120 ###################################### 121 ## <summary> 122 ## Allow the specified domain to execute docker shared files 123 ## in the caller domain. 124 ## </summary> 125 ## <param name="domain"> 126 ## <summary> 127 ## Domain allowed access. 128 ## </summary> 129 ## </param> 130 # 131 interface(`docker_exec_share_files',` 132 gen_require(` 133 type docker_share_t; 134 ') 135 136 can_exec($1, docker_share_t) 137 ') 138 139 ######################################## 140 ## <summary> 141 ## Manage docker lib files. 142 ## </summary> 143 ## <param name="domain"> 144 ## <summary> 145 ## Domain allowed access. 146 ## </summary> 147 ## </param> 148 # 149 interface(`docker_manage_lib_files',` 150 gen_require(` 151 type docker_var_lib_t; 152 ') 153 154 files_search_var_lib($1) 155 manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 156 manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 157 ') 158 159 ######################################## 160 ## <summary> 161 ## Manage docker lib directories. 162 ## </summary> 163 ## <param name="domain"> 164 ## <summary> 165 ## Domain allowed access. 166 ## </summary> 167 ## </param> 168 # 169 interface(`docker_manage_lib_dirs',` 170 gen_require(` 171 type docker_var_lib_t; 172 ') 173 174 files_search_var_lib($1) 175 manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) 176 ') 177 178 ######################################## 179 ## <summary> 180 ## Create objects in a docker var lib directory 181 ## with an automatic type transition to 182 ## a specified private type. 183 ## </summary> 184 ## <param name="domain"> 185 ## <summary> 186 ## Domain allowed access. 187 ## </summary> 188 ## </param> 189 ## <param name="private_type"> 190 ## <summary> 191 ## The type of the object to create. 192 ## </summary> 193 ## </param> 194 ## <param name="object_class"> 195 ## <summary> 196 ## The class of the object to be created. 197 ## </summary> 198 ## </param> 199 ## <param name="name" optional="true"> 200 ## <summary> 201 ## The name of the object being created. 202 ## </summary> 203 ## </param> 204 # 205 interface(`docker_lib_filetrans',` 206 gen_require(` 207 type docker_var_lib_t; 208 ') 209 210 filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) 211 ') 212 213 ######################################## 214 ## <summary> 215 ## Read docker PID files. 216 ## </summary> 217 ## <param name="domain"> 218 ## <summary> 219 ## Domain allowed access. 220 ## </summary> 221 ## </param> 222 # 223 interface(`docker_read_pid_files',` 224 gen_require(` 225 type docker_var_run_t; 226 ') 227 228 files_search_pids($1) 229 read_files_pattern($1, docker_var_run_t, docker_var_run_t) 230 ') 231 232 ######################################## 233 ## <summary> 234 ## Execute docker server in the docker domain. 235 ## </summary> 236 ## <param name="domain"> 237 ## <summary> 238 ## Domain allowed to transition. 239 ## </summary> 240 ## </param> 241 # 242 interface(`docker_systemctl',` 243 gen_require(` 244 type docker_t; 245 type docker_unit_file_t; 246 ') 247 248 systemd_exec_systemctl($1) 249 init_reload_services($1) 250 systemd_read_fifo_file_passwd_run($1) 251 allow $1 docker_unit_file_t:file read_file_perms; 252 allow $1 docker_unit_file_t:service manage_service_perms; 253 254 ps_process_pattern($1, docker_t) 255 ') 256 257 ######################################## 258 ## <summary> 259 ## Read and write docker shared memory. 260 ## </summary> 261 ## <param name="domain"> 262 ## <summary> 263 ## Domain allowed access. 264 ## </summary> 265 ## </param> 266 # 267 interface(`docker_rw_sem',` 268 gen_require(` 269 type docker_t; 270 ') 271 272 allow $1 docker_t:sem rw_sem_perms; 273 ') 274 275 ####################################### 276 ## <summary> 277 ## Read and write the docker pty type. 278 ## </summary> 279 ## <param name="domain"> 280 ## <summary> 281 ## Domain allowed access. 282 ## </summary> 283 ## </param> 284 # 285 interface(`docker_use_ptys',` 286 gen_require(` 287 type docker_devpts_t; 288 ') 289 290 allow $1 docker_devpts_t:chr_file rw_term_perms; 291 ') 292 293 ####################################### 294 ## <summary> 295 ## Allow domain to create docker content 296 ## </summary> 297 ## <param name="domain"> 298 ## <summary> 299 ## Domain allowed access. 300 ## </summary> 301 ## </param> 302 # 303 interface(`docker_filetrans_named_content',` 304 305 gen_require(` 306 type docker_var_lib_t; 307 type docker_share_t; 308 type docker_log_t; 309 type docker_var_run_t; 310 type docker_home_t; 311 ') 312 313 files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") 314 files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") 315 files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") 316 logging_log_filetrans($1, docker_log_t, dir, "lxc") 317 files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") 318 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") 319 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") 320 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") 321 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") 322 filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") 323 userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") 324 ') 325 326 ######################################## 327 ## <summary> 328 ## Connect to docker over a unix stream socket. 329 ## </summary> 330 ## <param name="domain"> 331 ## <summary> 332 ## Domain allowed access. 333 ## </summary> 334 ## </param> 335 # 336 interface(`docker_stream_connect',` 337 gen_require(` 338 type docker_t, docker_var_run_t; 339 ') 340 341 files_search_pids($1) 342 stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) 343 ') 344 345 ######################################## 346 ## <summary> 347 ## Connect to SPC containers over a unix stream socket. 348 ## </summary> 349 ## <param name="domain"> 350 ## <summary> 351 ## Domain allowed access. 352 ## </summary> 353 ## </param> 354 # 355 interface(`docker_spc_stream_connect',` 356 gen_require(` 357 type spc_t, spc_var_run_t; 358 ') 359 360 files_search_pids($1) 361 files_write_all_pid_sockets($1) 362 allow $1 spc_t:unix_stream_socket connectto; 363 ') 364 365 ######################################## 366 ## <summary> 367 ## All of the rules required to administrate 368 ## an docker environment 369 ## </summary> 370 ## <param name="domain"> 371 ## <summary> 372 ## Domain allowed access. 373 ## </summary> 374 ## </param> 375 # 376 interface(`docker_admin',` 377 gen_require(` 378 type docker_t; 379 type docker_var_lib_t, docker_var_run_t; 380 type docker_unit_file_t; 381 type docker_lock_t; 382 type docker_log_t; 383 type docker_config_t; 384 ') 385 386 allow $1 docker_t:process { ptrace signal_perms }; 387 ps_process_pattern($1, docker_t) 388 389 admin_pattern($1, docker_config_t) 390 391 files_search_var_lib($1) 392 admin_pattern($1, docker_var_lib_t) 393 394 files_search_pids($1) 395 admin_pattern($1, docker_var_run_t) 396 397 files_search_locks($1) 398 admin_pattern($1, docker_lock_t) 399 400 logging_search_logs($1) 401 admin_pattern($1, docker_log_t) 402 403 docker_systemctl($1) 404 admin_pattern($1, docker_unit_file_t) 405 allow $1 docker_unit_file_t:service all_service_perms; 406 407 optional_policy(` 408 systemd_passwd_agent_exec($1) 409 systemd_read_fifo_file_passwd_run($1) 410 ') 411 ') 412 413 ######################################## 414 ## <summary> 415 ## Execute docker_auth_exec_t in the docker_auth domain. 416 ## </summary> 417 ## <param name="domain"> 418 ## <summary> 419 ## Domain allowed to transition. 420 ## </summary> 421 ## </param> 422 # 423 interface(`docker_auth_domtrans',` 424 gen_require(` 425 type docker_auth_t, docker_auth_exec_t; 426 ') 427 428 corecmd_search_bin($1) 429 domtrans_pattern($1, docker_auth_exec_t, docker_auth_t) 430 ') 431 432 ###################################### 433 ## <summary> 434 ## Execute docker_auth in the caller domain. 435 ## </summary> 436 ## <param name="domain"> 437 ## <summary> 438 ## Domain allowed access. 439 ## </summary> 440 ## </param> 441 # 442 interface(`docker_auth_exec',` 443 gen_require(` 444 type docker_auth_exec_t; 445 ') 446 447 corecmd_search_bin($1) 448 can_exec($1, docker_auth_exec_t) 449 ') 450 451 ######################################## 452 ## <summary> 453 ## Connect to docker_auth over a unix stream socket. 454 ## </summary> 455 ## <param name="domain"> 456 ## <summary> 457 ## Domain allowed access. 458 ## </summary> 459 ## </param> 460 # 461 interface(`docker_auth_stream_connect',` 462 gen_require(` 463 type docker_auth_t, docker_plugin_var_run_t; 464 ') 465 466 files_search_pids($1) 467 stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t) 468 ') 469 470 ######################################## 471 ## <summary> 472 ## docker domain typebounds calling domain. 473 ## </summary> 474 ## <param name="domain"> 475 ## <summary> 476 ## Domain to be typebound. 477 ## </summary> 478 ## </param> 479 # 480 interface(`docker_typebounds',` 481 gen_require(` 482 type docker_t; 483 ') 484 485 typebounds docker_t $1; 486 ') 487 488 ######################################## 489 ## <summary> 490 ## Allow any docker_exec_t to be an entrypoint of this domain 491 ## </summary> 492 ## <param name="domain"> 493 ## <summary> 494 ## Domain allowed access. 495 ## </summary> 496 ## </param> 497 ## <rolecap/> 498 # 499 interface(`docker_entrypoint',` 500 gen_require(` 501 type docker_exec_t; 502 ') 503 allow $1 docker_exec_t:file entrypoint; 504 ') 505 506 ######################################## 507 ## <summary> 508 ## Send and receive messages from 509 ## systemd machined over dbus. 510 ## </summary> 511 ## <param name="domain"> 512 ## <summary> 513 ## Domain allowed access. 514 ## </summary> 515 ## </param> 516 # 517 interface(`systemd_dbus_chat_machined',` 518 gen_require(` 519 type systemd_machined_t; 520 class dbus send_msg; 521 ') 522 523 allow $1 systemd_machined_t:dbus send_msg; 524 allow systemd_machined_t $1:dbus send_msg; 525 ps_process_pattern(systemd_machined_t, $1) 526 ') 527 528 ######################################## 529 ## <summary> 530 ## Allow any svirt_sandbox_file_t to be an entrypoint of this domain 531 ## </summary> 532 ## <param name="domain"> 533 ## <summary> 534 ## Domain allowed access. 535 ## </summary> 536 ## </param> 537 ## <rolecap/> 538 # 539 interface(`virt_sandbox_entrypoint',` 540 gen_require(` 541 type svirt_sandbox_file_t; 542 ') 543 allow $1 svirt_sandbox_file_t:file entrypoint; 544 ') 545 546 ######################################## 547 ## <summary> 548 ## Send and receive messages from 549 ## virt over dbus. 550 ## </summary> 551 ## <param name="domain"> 552 ## <summary> 553 ## Domain allowed access. 554 ## </summary> 555 ## </param> 556 # 557 interface(`virt_dbus_chat',` 558 gen_require(` 559 type virtd_t; 560 class dbus send_msg; 561 ') 562 563 allow $1 virtd_t:dbus send_msg; 564 allow virtd_t $1:dbus send_msg; 565 ps_process_pattern(virtd_t, $1) 566 ') 567 568 ####################################### 569 ## <summary> 570 ## Read the process state of virt sandbox containers 571 ## </summary> 572 ## <param name="domain"> 573 ## <summary> 574 ## Domain allowed access. 575 ## </summary> 576 ## </param> 577 # 578 interface(`virt_sandbox_read_state',` 579 gen_require(` 580 attribute svirt_sandbox_domain; 581 ') 582 583 ps_process_pattern($1, svirt_sandbox_domain) 584 ') 585 586 ###################################### 587 ## <summary> 588 ## Send a signal to sandbox domains 589 ## </summary> 590 ## <param name="domain"> 591 ## <summary> 592 ## Domain allowed access. 593 ## </summary> 594 ## </param> 595 # 596 interface(`virt_signal_sandbox',` 597 gen_require(` 598 attribute svirt_sandbox_domain; 599 ') 600 601 allow $1 svirt_sandbox_domain:process signal; 602 ') 603 604 ####################################### 605 ## <summary> 606 ## Getattr Sandbox File systems 607 ## </summary> 608 ## <param name="domain"> 609 ## <summary> 610 ## Domain allowed access. 611 ## </summary> 612 ## </param> 613 # 614 interface(`virt_getattr_sandbox_filesystem',` 615 gen_require(` 616 type svirt_sandbox_file_t; 617 ') 618 619 allow $1 svirt_sandbox_file_t:filesystem getattr; 620 ') 621 622 ####################################### 623 ## <summary> 624 ## Read Sandbox Files 625 ## </summary> 626 ## <param name="domain"> 627 ## <summary> 628 ## Domain allowed access. 629 ## </summary> 630 ## </param> 631 # 632 interface(`virt_read_sandbox_files',` 633 gen_require(` 634 type svirt_sandbox_file_t; 635 ') 636 637 list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) 638 read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) 639 read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) 640 ') 641 642 ####################################### 643 ## <summary> 644 ## Read the process state of spc containers 645 ## </summary> 646 ## <param name="domain"> 647 ## <summary> 648 ## Domain allowed access. 649 ## </summary> 650 ## </param> 651 # 652 interface(`docker_spc_read_state',` 653 gen_require(` 654 type spc_t; 655 ') 656 657 ps_process_pattern($1, spc_t) 658 ') 659