github.com/tych0/moby@v1.13.1/contrib/selinux/docker-engine-selinux/docker.if (about) 1 2 ## <summary>The open-source application container engine.</summary> 3 4 ######################################## 5 ## <summary> 6 ## Execute docker in the docker domain. 7 ## </summary> 8 ## <param name="domain"> 9 ## <summary> 10 ## Domain allowed to transition. 11 ## </summary> 12 ## </param> 13 # 14 interface(`docker_domtrans',` 15 gen_require(` 16 type docker_t, docker_exec_t; 17 ') 18 19 corecmd_search_bin($1) 20 domtrans_pattern($1, docker_exec_t, docker_t) 21 ') 22 23 ######################################## 24 ## <summary> 25 ## Execute docker in the caller domain. 26 ## </summary> 27 ## <param name="domain"> 28 ## <summary> 29 ## Domain allowed to transition. 30 ## </summary> 31 ## </param> 32 # 33 interface(`docker_exec',` 34 gen_require(` 35 type docker_exec_t; 36 ') 37 38 corecmd_search_bin($1) 39 can_exec($1, docker_exec_t) 40 ') 41 42 ######################################## 43 ## <summary> 44 ## Search docker lib directories. 45 ## </summary> 46 ## <param name="domain"> 47 ## <summary> 48 ## Domain allowed access. 49 ## </summary> 50 ## </param> 51 # 52 interface(`docker_search_lib',` 53 gen_require(` 54 type docker_var_lib_t; 55 ') 56 57 allow $1 docker_var_lib_t:dir search_dir_perms; 58 files_search_var_lib($1) 59 ') 60 61 ######################################## 62 ## <summary> 63 ## Execute docker lib directories. 64 ## </summary> 65 ## <param name="domain"> 66 ## <summary> 67 ## Domain allowed access. 68 ## </summary> 69 ## </param> 70 # 71 interface(`docker_exec_lib',` 72 gen_require(` 73 type docker_var_lib_t; 74 ') 75 76 allow $1 docker_var_lib_t:dir search_dir_perms; 77 can_exec($1, docker_var_lib_t) 78 ') 79 80 ######################################## 81 ## <summary> 82 ## Read docker lib files. 83 ## </summary> 84 ## <param name="domain"> 85 ## <summary> 86 ## Domain allowed access. 87 ## </summary> 88 ## </param> 89 # 90 interface(`docker_read_lib_files',` 91 gen_require(` 92 type docker_var_lib_t; 93 ') 94 95 files_search_var_lib($1) 96 read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 97 ') 98 99 ######################################## 100 ## <summary> 101 ## Read docker share files. 102 ## </summary> 103 ## <param name="domain"> 104 ## <summary> 105 ## Domain allowed access. 106 ## </summary> 107 ## </param> 108 # 109 interface(`docker_read_share_files',` 110 gen_require(` 111 type docker_share_t; 112 ') 113 114 files_search_var_lib($1) 115 read_files_pattern($1, docker_share_t, docker_share_t) 116 ') 117 118 ######################################## 119 ## <summary> 120 ## Manage docker lib files. 121 ## </summary> 122 ## <param name="domain"> 123 ## <summary> 124 ## Domain allowed access. 125 ## </summary> 126 ## </param> 127 # 128 interface(`docker_manage_lib_files',` 129 gen_require(` 130 type docker_var_lib_t; 131 ') 132 133 files_search_var_lib($1) 134 manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 135 manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) 136 ') 137 138 ######################################## 139 ## <summary> 140 ## Manage docker lib directories. 141 ## </summary> 142 ## <param name="domain"> 143 ## <summary> 144 ## Domain allowed access. 145 ## </summary> 146 ## </param> 147 # 148 interface(`docker_manage_lib_dirs',` 149 gen_require(` 150 type docker_var_lib_t; 151 ') 152 153 files_search_var_lib($1) 154 manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) 155 ') 156 157 ######################################## 158 ## <summary> 159 ## Create objects in a docker var lib directory 160 ## with an automatic type transition to 161 ## a specified private type. 162 ## </summary> 163 ## <param name="domain"> 164 ## <summary> 165 ## Domain allowed access. 166 ## </summary> 167 ## </param> 168 ## <param name="private_type"> 169 ## <summary> 170 ## The type of the object to create. 171 ## </summary> 172 ## </param> 173 ## <param name="object_class"> 174 ## <summary> 175 ## The class of the object to be created. 176 ## </summary> 177 ## </param> 178 ## <param name="name" optional="true"> 179 ## <summary> 180 ## The name of the object being created. 181 ## </summary> 182 ## </param> 183 # 184 interface(`docker_lib_filetrans',` 185 gen_require(` 186 type docker_var_lib_t; 187 ') 188 189 filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) 190 ') 191 192 ######################################## 193 ## <summary> 194 ## Read docker PID files. 195 ## </summary> 196 ## <param name="domain"> 197 ## <summary> 198 ## Domain allowed access. 199 ## </summary> 200 ## </param> 201 # 202 interface(`docker_read_pid_files',` 203 gen_require(` 204 type docker_var_run_t; 205 ') 206 207 files_search_pids($1) 208 read_files_pattern($1, docker_var_run_t, docker_var_run_t) 209 ') 210 211 ######################################## 212 ## <summary> 213 ## Execute docker server in the docker domain. 214 ## </summary> 215 ## <param name="domain"> 216 ## <summary> 217 ## Domain allowed to transition. 218 ## </summary> 219 ## </param> 220 # 221 interface(`docker_systemctl',` 222 gen_require(` 223 type docker_t; 224 type docker_unit_file_t; 225 ') 226 227 systemd_exec_systemctl($1) 228 init_reload_services($1) 229 systemd_read_fifo_file_passwd_run($1) 230 allow $1 docker_unit_file_t:file read_file_perms; 231 allow $1 docker_unit_file_t:service manage_service_perms; 232 233 ps_process_pattern($1, docker_t) 234 ') 235 236 ######################################## 237 ## <summary> 238 ## Read and write docker shared memory. 239 ## </summary> 240 ## <param name="domain"> 241 ## <summary> 242 ## Domain allowed access. 243 ## </summary> 244 ## </param> 245 # 246 interface(`docker_rw_sem',` 247 gen_require(` 248 type docker_t; 249 ') 250 251 allow $1 docker_t:sem rw_sem_perms; 252 ') 253 254 ####################################### 255 ## <summary> 256 ## Read and write the docker pty type. 257 ## </summary> 258 ## <param name="domain"> 259 ## <summary> 260 ## Domain allowed access. 261 ## </summary> 262 ## </param> 263 # 264 interface(`docker_use_ptys',` 265 gen_require(` 266 type docker_devpts_t; 267 ') 268 269 allow $1 docker_devpts_t:chr_file rw_term_perms; 270 ') 271 272 ####################################### 273 ## <summary> 274 ## Allow domain to create docker content 275 ## </summary> 276 ## <param name="domain"> 277 ## <summary> 278 ## Domain allowed access. 279 ## </summary> 280 ## </param> 281 # 282 interface(`docker_filetrans_named_content',` 283 284 gen_require(` 285 type docker_var_lib_t; 286 type docker_share_t; 287 type docker_log_t; 288 type docker_var_run_t; 289 type docker_home_t; 290 ') 291 292 files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") 293 files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") 294 files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") 295 files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") 296 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") 297 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") 298 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") 299 filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") 300 filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") 301 userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") 302 ') 303 304 ######################################## 305 ## <summary> 306 ## Connect to docker over a unix stream socket. 307 ## </summary> 308 ## <param name="domain"> 309 ## <summary> 310 ## Domain allowed access. 311 ## </summary> 312 ## </param> 313 # 314 interface(`docker_stream_connect',` 315 gen_require(` 316 type docker_t, docker_var_run_t; 317 ') 318 319 files_search_pids($1) 320 stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) 321 ') 322 323 ######################################## 324 ## <summary> 325 ## Connect to SPC containers over a unix stream socket. 326 ## </summary> 327 ## <param name="domain"> 328 ## <summary> 329 ## Domain allowed access. 330 ## </summary> 331 ## </param> 332 # 333 interface(`docker_spc_stream_connect',` 334 gen_require(` 335 type spc_t, spc_var_run_t; 336 ') 337 338 files_search_pids($1) 339 files_write_all_pid_sockets($1) 340 allow $1 spc_t:unix_stream_socket connectto; 341 ') 342 343 344 ######################################## 345 ## <summary> 346 ## All of the rules required to administrate 347 ## an docker environment 348 ## </summary> 349 ## <param name="domain"> 350 ## <summary> 351 ## Domain allowed access. 352 ## </summary> 353 ## </param> 354 # 355 interface(`docker_admin',` 356 gen_require(` 357 type docker_t; 358 type docker_var_lib_t, docker_var_run_t; 359 type docker_unit_file_t; 360 type docker_lock_t; 361 type docker_log_t; 362 type docker_config_t; 363 ') 364 365 allow $1 docker_t:process { ptrace signal_perms }; 366 ps_process_pattern($1, docker_t) 367 368 admin_pattern($1, docker_config_t) 369 370 files_search_var_lib($1) 371 admin_pattern($1, docker_var_lib_t) 372 373 files_search_pids($1) 374 admin_pattern($1, docker_var_run_t) 375 376 files_search_locks($1) 377 admin_pattern($1, docker_lock_t) 378 379 logging_search_logs($1) 380 admin_pattern($1, docker_log_t) 381 382 docker_systemctl($1) 383 admin_pattern($1, docker_unit_file_t) 384 allow $1 docker_unit_file_t:service all_service_perms; 385 386 optional_policy(` 387 systemd_passwd_agent_exec($1) 388 systemd_read_fifo_file_passwd_run($1) 389 ') 390 ') 391 392 interface(`domain_stub_named_filetrans_domain',` 393 gen_require(` 394 attribute named_filetrans_domain; 395 ') 396 ') 397 398 interface(`lvm_stub',` 399 gen_require(` 400 type lvm_t; 401 ') 402 ') 403 interface(`staff_stub',` 404 gen_require(` 405 type staff_t; 406 ') 407 ') 408 interface(`virt_stub_svirt_sandbox_domain',` 409 gen_require(` 410 attribute svirt_sandbox_domain; 411 ') 412 ') 413 interface(`virt_stub_svirt_sandbox_file',` 414 gen_require(` 415 type svirt_sandbox_file_t; 416 ') 417 ') 418 interface(`fs_dontaudit_remount_tmpfs',` 419 gen_require(` 420 type tmpfs_t; 421 ') 422 423 dontaudit $1 tmpfs_t:filesystem remount; 424 ') 425 interface(`dev_dontaudit_list_all_dev_nodes',` 426 gen_require(` 427 type device_t; 428 ') 429 430 dontaudit $1 device_t:dir list_dir_perms; 431 ') 432 interface(`kernel_unlabeled_entry_type',` 433 gen_require(` 434 type unlabeled_t; 435 ') 436 437 domain_entry_file($1, unlabeled_t) 438 ') 439 interface(`kernel_unlabeled_domtrans',` 440 gen_require(` 441 type unlabeled_t; 442 ') 443 444 read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) 445 domain_transition_pattern($1, unlabeled_t, $2) 446 type_transition $1 unlabeled_t:process $2; 447 ') 448 interface(`files_write_all_pid_sockets',` 449 gen_require(` 450 attribute pidfile; 451 ') 452 453 allow $1 pidfile:sock_file write_sock_file_perms; 454 ') 455 interface(`dev_dontaudit_mounton_sysfs',` 456 gen_require(` 457 type sysfs_t; 458 ') 459 460 dontaudit $1 sysfs_t:dir mounton; 461 ')