github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/contrib/selinux-centos-7/docker-engine-selinux/docker.te (about) 1 policy_module(docker, 1.0.0) 2 3 ######################################## 4 # 5 # Declarations 6 # 7 8 ## <desc> 9 ## <p> 10 ## Determine whether docker can 11 ## connect to all TCP ports. 12 ## </p> 13 ## </desc> 14 gen_tunable(docker_connect_any, false) 15 16 type docker_t; 17 type docker_exec_t; 18 init_daemon_domain(docker_t, docker_exec_t) 19 domain_subj_id_change_exemption(docker_t) 20 domain_role_change_exemption(docker_t) 21 22 type spc_t; 23 domain_type(spc_t) 24 role system_r types spc_t; 25 26 type docker_auth_t; 27 type docker_auth_exec_t; 28 init_daemon_domain(docker_auth_t, docker_auth_exec_t) 29 30 type spc_var_run_t; 31 files_pid_file(spc_var_run_t) 32 33 type docker_var_lib_t; 34 files_type(docker_var_lib_t) 35 36 type docker_home_t; 37 userdom_user_home_content(docker_home_t) 38 39 type docker_config_t; 40 files_config_file(docker_config_t) 41 42 type docker_lock_t; 43 files_lock_file(docker_lock_t) 44 45 type docker_log_t; 46 logging_log_file(docker_log_t) 47 48 type docker_tmp_t; 49 files_tmp_file(docker_tmp_t) 50 51 type docker_tmpfs_t; 52 files_tmpfs_file(docker_tmpfs_t) 53 54 type docker_var_run_t; 55 files_pid_file(docker_var_run_t) 56 57 type docker_plugin_var_run_t; 58 files_pid_file(docker_plugin_var_run_t) 59 60 type docker_unit_file_t; 61 systemd_unit_file(docker_unit_file_t) 62 63 type docker_devpts_t; 64 term_pty(docker_devpts_t) 65 66 type docker_share_t; 67 files_mountpoint(docker_share_t) 68 69 type docker_port_t; 70 corenet_port(docker_port_t) 71 72 ######################################## 73 # 74 # docker local policy 75 # 76 allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap }; 77 allow docker_t self:tun_socket relabelto; 78 allow docker_t self:process { getattr signal_perms setrlimit setfscreate }; 79 allow docker_t self:fifo_file rw_fifo_file_perms; 80 allow docker_t self:unix_stream_socket create_stream_socket_perms; 81 allow docker_t self:tcp_socket create_stream_socket_perms; 82 allow docker_t self:udp_socket create_socket_perms; 83 allow docker_t self:capability2 block_suspend; 84 allow docker_t docker_port_t:tcp_socket name_bind; 85 86 docker_auth_stream_connect(docker_t) 87 88 manage_files_pattern(docker_t, docker_home_t, docker_home_t) 89 manage_dirs_pattern(docker_t, docker_home_t, docker_home_t) 90 manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t) 91 userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker") 92 93 manage_dirs_pattern(docker_t, docker_config_t, docker_config_t) 94 manage_files_pattern(docker_t, docker_config_t, docker_config_t) 95 files_etc_filetrans(docker_t, docker_config_t, dir, "docker") 96 97 manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) 98 manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) 99 files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc") 100 101 manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) 102 manage_files_pattern(docker_t, docker_log_t, docker_log_t) 103 manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t) 104 logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file }) 105 allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto }; 106 filetrans_pattern(docker_t, docker_var_lib_t, docker_log_t, file, "container-json.log") 107 108 manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t) 109 manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) 110 manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) 111 files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) 112 113 manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 114 manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 115 manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 116 manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 117 manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 118 manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) 119 allow docker_t docker_tmpfs_t:dir relabelfrom; 120 can_exec(docker_t, docker_tmpfs_t) 121 fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) 122 allow docker_t docker_tmpfs_t:chr_file mounton; 123 124 manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) 125 manage_chr_files_pattern(docker_t, docker_share_t, docker_share_t) 126 manage_blk_files_pattern(docker_t, docker_share_t, docker_share_t) 127 manage_files_pattern(docker_t, docker_share_t, docker_share_t) 128 manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) 129 allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto }; 130 can_exec(docker_t, docker_share_t) 131 filetrans_pattern(docker_t, docker_var_lib_t, docker_share_t, dir, "overlay") 132 133 #docker_filetrans_named_content(docker_t) 134 135 manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 136 manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 137 manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 138 manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 139 manage_sock_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 140 manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) 141 allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto }; 142 files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file }) 143 144 manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t) 145 manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) 146 manage_fifo_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) 147 manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) 148 manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) 149 files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) 150 151 allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; 152 term_create_pty(docker_t, docker_devpts_t) 153 154 kernel_read_system_state(docker_t) 155 kernel_read_network_state(docker_t) 156 kernel_read_all_sysctls(docker_t) 157 kernel_rw_net_sysctls(docker_t) 158 kernel_setsched(docker_t) 159 kernel_read_all_proc(docker_t) 160 161 domain_use_interactive_fds(docker_t) 162 domain_dontaudit_read_all_domains_state(docker_t) 163 164 corecmd_exec_bin(docker_t) 165 corecmd_exec_shell(docker_t) 166 167 corenet_tcp_bind_generic_node(docker_t) 168 corenet_tcp_sendrecv_generic_if(docker_t) 169 corenet_tcp_sendrecv_generic_node(docker_t) 170 corenet_tcp_sendrecv_generic_port(docker_t) 171 corenet_tcp_bind_all_ports(docker_t) 172 corenet_tcp_connect_http_port(docker_t) 173 corenet_tcp_connect_commplex_main_port(docker_t) 174 corenet_udp_sendrecv_generic_if(docker_t) 175 corenet_udp_sendrecv_generic_node(docker_t) 176 corenet_udp_sendrecv_all_ports(docker_t) 177 corenet_udp_bind_generic_node(docker_t) 178 corenet_udp_bind_all_ports(docker_t) 179 180 files_read_config_files(docker_t) 181 files_dontaudit_getattr_all_dirs(docker_t) 182 files_dontaudit_getattr_all_files(docker_t) 183 184 fs_read_cgroup_files(docker_t) 185 fs_read_tmpfs_symlinks(docker_t) 186 fs_search_all(docker_t) 187 fs_getattr_all_fs(docker_t) 188 189 storage_raw_rw_fixed_disk(docker_t) 190 191 auth_use_nsswitch(docker_t) 192 auth_dontaudit_getattr_shadow(docker_t) 193 194 init_read_state(docker_t) 195 init_status(docker_t) 196 197 logging_send_audit_msgs(docker_t) 198 logging_send_syslog_msg(docker_t) 199 200 miscfiles_read_localization(docker_t) 201 202 mount_domtrans(docker_t) 203 204 seutil_read_default_contexts(docker_t) 205 seutil_read_config(docker_t) 206 207 sysnet_dns_name_resolve(docker_t) 208 sysnet_exec_ifconfig(docker_t) 209 210 optional_policy(` 211 rpm_exec(docker_t) 212 rpm_read_db(docker_t) 213 rpm_exec(docker_t) 214 ') 215 216 optional_policy(` 217 fstools_domtrans(docker_t) 218 ') 219 220 optional_policy(` 221 iptables_domtrans(docker_t) 222 ') 223 224 optional_policy(` 225 openvswitch_stream_connect(docker_t) 226 ') 227 228 # 229 # lxc rules 230 # 231 232 allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace }; 233 234 allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; 235 236 allow docker_t self:netlink_route_socket rw_netlink_socket_perms;; 237 allow docker_t self:netlink_audit_socket create_netlink_socket_perms; 238 allow docker_t self:unix_dgram_socket { create_socket_perms sendto }; 239 allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }; 240 241 allow docker_t docker_var_lib_t:dir mounton; 242 allow docker_t docker_var_lib_t:chr_file mounton; 243 can_exec(docker_t, docker_var_lib_t) 244 245 kernel_dontaudit_setsched(docker_t) 246 kernel_get_sysvipc_info(docker_t) 247 kernel_request_load_module(docker_t) 248 kernel_mounton_messages(docker_t) 249 kernel_mounton_all_proc(docker_t) 250 kernel_mounton_all_sysctls(docker_t) 251 252 dev_getattr_all(docker_t) 253 dev_getattr_sysfs_fs(docker_t) 254 dev_read_urand(docker_t) 255 dev_read_lvm_control(docker_t) 256 dev_rw_sysfs(docker_t) 257 dev_rw_loop_control(docker_t) 258 dev_rw_lvm_control(docker_t) 259 260 files_getattr_isid_type_dirs(docker_t) 261 files_manage_isid_type_dirs(docker_t) 262 files_manage_isid_type_files(docker_t) 263 files_manage_isid_type_symlinks(docker_t) 264 files_manage_isid_type_chr_files(docker_t) 265 files_manage_isid_type_blk_files(docker_t) 266 files_exec_isid_files(docker_t) 267 files_mounton_isid(docker_t) 268 files_mounton_non_security(docker_t) 269 files_mounton_isid_type_chr_file(docker_t) 270 271 fs_mount_all_fs(docker_t) 272 fs_unmount_all_fs(docker_t) 273 fs_remount_all_fs(docker_t) 274 files_mounton_isid(docker_t) 275 fs_manage_cgroup_dirs(docker_t) 276 fs_manage_cgroup_files(docker_t) 277 #fs_rw_nsfs_files(docker_t) 278 # TODO Remove This block 279 ######################### 280 gen_require(` 281 type nsfs_t; 282 ') 283 rw_files_pattern(docker_t, nsfs_t, nsfs_t) 284 fs_relabelfrom_xattr_fs(docker_t) 285 fs_relabelfrom_tmpfs(docker_t) 286 fs_read_tmpfs_symlinks(docker_t) 287 fs_list_hugetlbfs(docker_t) 288 289 term_use_generic_ptys(docker_t) 290 term_use_ptmx(docker_t) 291 term_getattr_pty_fs(docker_t) 292 term_relabel_pty_fs(docker_t) 293 term_mounton_unallocated_ttys(docker_t) 294 295 modutils_domtrans_insmod(docker_t) 296 297 systemd_status_all_unit_files(docker_t) 298 systemd_start_systemd_services(docker_t) 299 300 userdom_stream_connect(docker_t) 301 userdom_search_user_home_content(docker_t) 302 userdom_read_all_users_state(docker_t) 303 userdom_relabel_user_home_files(docker_t) 304 userdom_relabel_user_tmp_files(docker_t) 305 userdom_relabel_user_tmp_dirs(docker_t) 306 307 optional_policy(` 308 gpm_getattr_gpmctl(docker_t) 309 ') 310 311 optional_policy(` 312 dbus_system_bus_client(docker_t) 313 init_dbus_chat(docker_t) 314 init_start_transient_unit(docker_t) 315 316 optional_policy(` 317 systemd_dbus_chat_logind(docker_t) 318 systemd_dbus_chat_machined(docker_t) 319 ') 320 321 optional_policy(` 322 firewalld_dbus_chat(docker_t) 323 ') 324 ') 325 326 optional_policy(` 327 lvm_domtrans(docker_t) 328 ') 329 330 optional_policy(` 331 udev_read_db(docker_t) 332 ') 333 334 optional_policy(` 335 unconfined_domain(docker_t) 336 # unconfined_typebounds(docker_t) 337 ') 338 339 optional_policy(` 340 virt_read_config(docker_t) 341 virt_exec(docker_t) 342 virt_stream_connect(docker_t) 343 virt_stream_connect_sandbox(docker_t) 344 virt_exec_sandbox_files(docker_t) 345 virt_manage_sandbox_files(docker_t) 346 virt_relabel_sandbox_filesystem(docker_t) 347 # for lxc 348 virt_transition_svirt_sandbox(docker_t, system_r) 349 allow svirt_sandbox_domain docker_t:fd use; 350 virt_mounton_sandbox_file(docker_t) 351 # virt_attach_sandbox_tun_iface(docker_t) 352 allow docker_t svirt_sandbox_domain:tun_socket relabelfrom; 353 virt_sandbox_entrypoint(docker_t) 354 ') 355 356 tunable_policy(`docker_connect_any',` 357 corenet_tcp_connect_all_ports(docker_t) 358 corenet_sendrecv_all_packets(docker_t) 359 corenet_tcp_sendrecv_all_ports(docker_t) 360 ') 361 362 ######################################## 363 # 364 # spc local policy 365 # 366 allow spc_t { docker_var_lib_t docker_share_t }:file entrypoint; 367 role system_r types spc_t; 368 369 domtrans_pattern(docker_t, docker_share_t, spc_t) 370 domtrans_pattern(docker_t, docker_var_lib_t, spc_t) 371 allow docker_t spc_t:process { setsched signal_perms }; 372 ps_process_pattern(docker_t, spc_t) 373 allow docker_t spc_t:socket_class_set { relabelto relabelfrom }; 374 375 optional_policy(` 376 systemd_dbus_chat_machined(spc_t) 377 systemd_dbus_chat_logind(spc_t) 378 ') 379 380 optional_policy(` 381 dbus_chat_system_bus(spc_t) 382 dbus_chat_session_bus(spc_t) 383 ') 384 385 optional_policy(` 386 unconfined_domain_noaudit(spc_t) 387 ') 388 389 optional_policy(` 390 virt_stub_svirt_sandbox_file() 391 virt_transition_svirt_sandbox(spc_t, system_r) 392 virt_sandbox_entrypoint(spc_t) 393 domtrans_pattern(docker_t,svirt_sandbox_file_t, spc_t) 394 ') 395 396 ######################################## 397 # 398 # docker_auth local policy 399 # 400 allow docker_auth_t self:fifo_file rw_fifo_file_perms; 401 allow docker_auth_t self:unix_stream_socket create_stream_socket_perms; 402 dontaudit docker_auth_t self:capability net_admin; 403 404 docker_stream_connect(docker_auth_t) 405 406 manage_dirs_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t) 407 manage_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t) 408 manage_sock_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t) 409 manage_lnk_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t) 410 files_pid_filetrans(docker_auth_t, docker_plugin_var_run_t, { dir file lnk_file sock_file }) 411 412 domain_use_interactive_fds(docker_auth_t) 413 414 kernel_read_net_sysctls(docker_auth_t) 415 416 auth_use_nsswitch(docker_auth_t) 417 418 files_read_etc_files(docker_auth_t) 419 420 miscfiles_read_localization(docker_auth_t) 421 422 sysnet_dns_name_resolve(docker_auth_t) 423 424 kernel_unlabeled_domtrans(docker_t, spc_t) 425 kernel_unlabeled_entry_type(spc_t)