github.com/sams1990/dockerrepo@v17.12.1-ce-rc2+incompatible/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.te (about) 1 policy_module(docker, 1.0.0) 2 3 ######################################## 4 # 5 # Declarations 6 # 7 8 ## <desc> 9 ## <p> 10 ## Determine whether docker can 11 ## connect to all TCP ports. 12 ## </p> 13 ## </desc> 14 gen_tunable(docker_connect_any, false) 15 16 type docker_t; 17 type docker_exec_t; 18 init_daemon_domain(docker_t, docker_exec_t) 19 domain_subj_id_change_exemption(docker_t) 20 domain_role_change_exemption(docker_t) 21 22 type spc_t; 23 domain_type(spc_t) 24 role system_r types spc_t; 25 26 type spc_var_run_t; 27 files_pid_file(spc_var_run_t) 28 29 type docker_var_lib_t; 30 files_type(docker_var_lib_t) 31 32 type docker_home_t; 33 userdom_user_home_content(docker_home_t) 34 35 type docker_config_t; 36 files_config_file(docker_config_t) 37 38 type docker_lock_t; 39 files_lock_file(docker_lock_t) 40 41 type docker_log_t; 42 logging_log_file(docker_log_t) 43 44 type docker_tmp_t; 45 files_tmp_file(docker_tmp_t) 46 47 type docker_tmpfs_t; 48 files_tmpfs_file(docker_tmpfs_t) 49 50 type docker_var_run_t; 51 files_pid_file(docker_var_run_t) 52 53 type docker_unit_file_t; 54 systemd_unit_file(docker_unit_file_t) 55 56 type docker_devpts_t; 57 term_pty(docker_devpts_t) 58 59 type docker_share_t; 60 files_type(docker_share_t) 61 62 ######################################## 63 # 64 # docker local policy 65 # 66 allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap }; 67 allow docker_t self:tun_socket relabelto; 68 allow docker_t self:process { getattr signal_perms setrlimit setfscreate }; 69 allow docker_t self:fifo_file rw_fifo_file_perms; 70 allow docker_t self:unix_stream_socket create_stream_socket_perms; 71 allow docker_t self:tcp_socket create_stream_socket_perms; 72 allow docker_t self:udp_socket create_socket_perms; 73 allow docker_t self:capability2 block_suspend; 74 75 manage_files_pattern(docker_t, docker_home_t, docker_home_t) 76 manage_dirs_pattern(docker_t, docker_home_t, docker_home_t) 77 manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t) 78 userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker") 79 80 manage_dirs_pattern(docker_t, docker_config_t, docker_config_t) 81 manage_files_pattern(docker_t, docker_config_t, docker_config_t) 82 files_etc_filetrans(docker_t, docker_config_t, dir, "docker") 83 84 manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) 85 manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) 86 87 manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) 88 manage_files_pattern(docker_t, docker_log_t, docker_log_t) 89 manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) 90 logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) 91 allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto }; 92 93 manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) 94 manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) 95 manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) 96 files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) 97 98 manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 99 manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 100 manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 101 manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 102 manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 103 manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 104 allow docker_t docker_tmpfs_t:dir relabelfrom; 105 can_exec(docker_t, docker_tmpfs_t) 106 fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) 107 allow docker_t docker_tmpfs_t:chr_file mounton; 108 109 manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) 110 manage_files_pattern(docker_t, docker_share_t, docker_share_t) 111 manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) 112 allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto }; 113 114 can_exec(docker_t, docker_share_t) 115 #docker_filetrans_named_content(docker_t) 116 117 manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 118 manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 119 manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 120 manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 121 manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 122 allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto }; 123 files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) 124 125 manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) 126 manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) 127 manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) 128 manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) 129 files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) 130 131 allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; 132 term_create_pty(docker_t, docker_devpts_t) 133 134 kernel_read_system_state(docker_t) 135 kernel_read_network_state(docker_t) 136 kernel_read_all_sysctls(docker_t) 137 kernel_rw_net_sysctls(docker_t) 138 kernel_setsched(docker_t) 139 kernel_read_all_proc(docker_t) 140 141 domain_use_interactive_fds(docker_t) 142 domain_dontaudit_read_all_domains_state(docker_t) 143 144 corecmd_exec_bin(docker_t) 145 corecmd_exec_shell(docker_t) 146 147 corenet_tcp_bind_generic_node(docker_t) 148 corenet_tcp_sendrecv_generic_if(docker_t) 149 corenet_tcp_sendrecv_generic_node(docker_t) 150 corenet_tcp_sendrecv_generic_port(docker_t) 151 corenet_tcp_bind_all_ports(docker_t) 152 corenet_tcp_connect_http_port(docker_t) 153 corenet_tcp_connect_commplex_main_port(docker_t) 154 corenet_udp_sendrecv_generic_if(docker_t) 155 corenet_udp_sendrecv_generic_node(docker_t) 156 corenet_udp_sendrecv_all_ports(docker_t) 157 corenet_udp_bind_generic_node(docker_t) 158 corenet_udp_bind_all_ports(docker_t) 159 160 files_read_config_files(docker_t) 161 files_dontaudit_getattr_all_dirs(docker_t) 162 files_dontaudit_getattr_all_files(docker_t) 163 164 fs_read_cgroup_files(docker_t) 165 fs_read_tmpfs_symlinks(docker_t) 166 fs_search_all(docker_t) 167 fs_getattr_all_fs(docker_t) 168 169 storage_raw_rw_fixed_disk(docker_t) 170 171 auth_use_nsswitch(docker_t) 172 auth_dontaudit_getattr_shadow(docker_t) 173 174 init_read_state(docker_t) 175 init_status(docker_t) 176 177 logging_send_audit_msgs(docker_t) 178 logging_send_syslog_msg(docker_t) 179 180 miscfiles_read_localization(docker_t) 181 182 mount_domtrans(docker_t) 183 184 seutil_read_default_contexts(docker_t) 185 seutil_read_config(docker_t) 186 187 sysnet_dns_name_resolve(docker_t) 188 sysnet_exec_ifconfig(docker_t) 189 190 optional_policy(` 191 rpm_exec(docker_t) 192 rpm_read_db(docker_t) 193 rpm_exec(docker_t) 194 ') 195 196 optional_policy(` 197 fstools_domtrans(docker_t) 198 ') 199 200 optional_policy(` 201 iptables_domtrans(docker_t) 202 ') 203 204 optional_policy(` 205 openvswitch_stream_connect(docker_t) 206 ') 207 208 allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace }; 209 210 allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; 211 212 allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; 213 allow docker_t self:netlink_audit_socket create_netlink_socket_perms; 214 allow docker_t self:unix_dgram_socket { create_socket_perms sendto }; 215 allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }; 216 217 allow docker_t docker_var_lib_t:dir mounton; 218 allow docker_t docker_var_lib_t:chr_file mounton; 219 can_exec(docker_t, docker_var_lib_t) 220 221 kernel_dontaudit_setsched(docker_t) 222 kernel_get_sysvipc_info(docker_t) 223 kernel_request_load_module(docker_t) 224 kernel_mounton_messages(docker_t) 225 kernel_mounton_all_proc(docker_t) 226 kernel_mounton_all_sysctls(docker_t) 227 kernel_unlabeled_entry_type(spc_t) 228 kernel_unlabeled_domtrans(docker_t, spc_t) 229 230 dev_getattr_all(docker_t) 231 dev_getattr_sysfs_fs(docker_t) 232 dev_read_urand(docker_t) 233 dev_read_lvm_control(docker_t) 234 dev_rw_sysfs(docker_t) 235 dev_rw_loop_control(docker_t) 236 dev_rw_lvm_control(docker_t) 237 238 files_getattr_isid_type_dirs(docker_t) 239 files_manage_isid_type_dirs(docker_t) 240 files_manage_isid_type_files(docker_t) 241 files_manage_isid_type_symlinks(docker_t) 242 files_manage_isid_type_chr_files(docker_t) 243 files_manage_isid_type_blk_files(docker_t) 244 files_exec_isid_files(docker_t) 245 files_mounton_isid(docker_t) 246 files_mounton_non_security(docker_t) 247 files_mounton_isid_type_chr_file(docker_t) 248 249 fs_mount_all_fs(docker_t) 250 fs_unmount_all_fs(docker_t) 251 fs_remount_all_fs(docker_t) 252 files_mounton_isid(docker_t) 253 fs_manage_cgroup_dirs(docker_t) 254 fs_manage_cgroup_files(docker_t) 255 fs_relabelfrom_xattr_fs(docker_t) 256 fs_relabelfrom_tmpfs(docker_t) 257 fs_read_tmpfs_symlinks(docker_t) 258 fs_list_hugetlbfs(docker_t) 259 260 term_use_generic_ptys(docker_t) 261 term_use_ptmx(docker_t) 262 term_getattr_pty_fs(docker_t) 263 term_relabel_pty_fs(docker_t) 264 term_mounton_unallocated_ttys(docker_t) 265 266 modutils_domtrans_insmod(docker_t) 267 268 systemd_status_all_unit_files(docker_t) 269 systemd_start_systemd_services(docker_t) 270 271 userdom_stream_connect(docker_t) 272 userdom_search_user_home_content(docker_t) 273 userdom_read_all_users_state(docker_t) 274 userdom_relabel_user_home_files(docker_t) 275 userdom_relabel_user_tmp_files(docker_t) 276 userdom_relabel_user_tmp_dirs(docker_t) 277 278 optional_policy(` 279 gpm_getattr_gpmctl(docker_t) 280 ') 281 282 optional_policy(` 283 dbus_system_bus_client(docker_t) 284 init_dbus_chat(docker_t) 285 init_start_transient_unit(docker_t) 286 287 optional_policy(` 288 systemd_dbus_chat_logind(docker_t) 289 ') 290 291 optional_policy(` 292 firewalld_dbus_chat(docker_t) 293 ') 294 ') 295 296 optional_policy(` 297 udev_read_db(docker_t) 298 ') 299 300 optional_policy(` 301 virt_read_config(docker_t) 302 virt_exec(docker_t) 303 virt_stream_connect(docker_t) 304 virt_stream_connect_sandbox(docker_t) 305 virt_exec_sandbox_files(docker_t) 306 virt_manage_sandbox_files(docker_t) 307 virt_relabel_sandbox_filesystem(docker_t) 308 virt_transition_svirt_sandbox(docker_t, system_r) 309 virt_mounton_sandbox_file(docker_t) 310 # virt_attach_sandbox_tun_iface(docker_t) 311 allow docker_t svirt_sandbox_domain:tun_socket relabelfrom; 312 ') 313 314 tunable_policy(`docker_connect_any',` 315 corenet_tcp_connect_all_ports(docker_t) 316 corenet_sendrecv_all_packets(docker_t) 317 corenet_tcp_sendrecv_all_ports(docker_t) 318 ') 319 320 ######################################## 321 # 322 # spc local policy 323 # 324 domain_entry_file(spc_t, docker_share_t) 325 domain_entry_file(spc_t, docker_var_lib_t) 326 role system_r types spc_t; 327 328 domain_entry_file(spc_t, docker_share_t) 329 domain_entry_file(spc_t, docker_var_lib_t) 330 domtrans_pattern(docker_t, docker_share_t, spc_t) 331 domtrans_pattern(docker_t, docker_var_lib_t, spc_t) 332 allow docker_t spc_t:process { setsched signal_perms }; 333 ps_process_pattern(docker_t, spc_t) 334 allow docker_t spc_t:socket_class_set { relabelto relabelfrom }; 335 336 optional_policy(` 337 dbus_chat_system_bus(spc_t) 338 ') 339 340 optional_policy(` 341 unconfined_domain_noaudit(spc_t) 342 ') 343 344 optional_policy(` 345 unconfined_domain(docker_t) 346 ') 347 348 optional_policy(` 349 virt_transition_svirt_sandbox(spc_t, system_r) 350 ') 351 352 ######################################## 353 # 354 # docker upstream policy 355 # 356 357 optional_policy(` 358 # domain_stub_named_filetrans_domain() 359 gen_require(` 360 attribute named_filetrans_domain; 361 ') 362 363 docker_filetrans_named_content(named_filetrans_domain) 364 ') 365 366 optional_policy(` 367 lvm_stub() 368 docker_rw_sem(lvm_t) 369 ') 370 371 optional_policy(` 372 staff_stub() 373 docker_stream_connect(staff_t) 374 docker_exec(staff_t) 375 ') 376 377 optional_policy(` 378 virt_stub_svirt_sandbox_domain() 379 virt_stub_svirt_sandbox_file() 380 allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms; 381 docker_read_share_files(svirt_sandbox_domain) 382 docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) 383 docker_use_ptys(svirt_sandbox_domain) 384 docker_spc_stream_connect(svirt_sandbox_domain) 385 fs_list_tmpfs(svirt_sandbox_domain) 386 fs_rw_hugetlbfs_files(svirt_sandbox_domain) 387 fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) 388 dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) 389 390 tunable_policy(`virt_sandbox_use_fusefs',` 391 fs_manage_fusefs_dirs(svirt_sandbox_domain) 392 fs_manage_fusefs_files(svirt_sandbox_domain) 393 fs_manage_fusefs_symlinks(svirt_sandbox_domain) 394 ') 395 gen_require(` 396 attribute domain; 397 ') 398 399 dontaudit svirt_sandbox_domain domain:key {search link}; 400 ') 401 402 optional_policy(` 403 gen_require(` 404 type pcp_pmcd_t; 405 ') 406 docker_manage_lib_files(pcp_pmcd_t) 407 ')