We use cookies to ensure you get the best experience on our website
Главная Обзор Помощь
Регистрация Вход
0ct0pu5
/
moby
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Дерево: 73c597e5f2
Ветки Метки
moby
/
contrib
/
docker-engine-selinux
/
docker.if

docker.if 9.4 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461 
  1. 

  2. ## <summary>The open-source application container engine.</summary>
    3. 

  3. 

  4. ########################################
    5. 

  5. ## <summary>
    6. 

  6. ##	Execute docker in the docker domain.
    7. 

  7. ## </summary>
    8. 

  8. ## <param name="domain">
    9. 

  9. ## <summary>
    10. 

  10. ##	Domain allowed to transition.
    11. 

  11. ## </summary>
    12. 

  12. ## </param>
    13. 

  13. #
    14. 

  14. interface(`docker_domtrans',`
    15. 

  15. 	gen_require(`
    16. 

  16. 		type docker_t, docker_exec_t;
    17. 

  17. 	')
    18. 

  18. 

  19. 	corecmd_search_bin($1)
    20. 

  20. 	domtrans_pattern($1, docker_exec_t, docker_t)
    21. 

  21. ')
    22. 

  22. 

  23. ########################################
    24. 

  24. ## <summary>
    25. 

  25. ##	Execute docker in the caller domain.
    26. 

  26. ## </summary>
    27. 

  27. ## <param name="domain">
    28. 

  28. ## <summary>
    29. 

  29. ##	Domain allowed to transition.
    30. 

  30. ## </summary>
    31. 

  31. ## </param>
    32. 

  32. #
    33. 

  33. interface(`docker_exec',`
    34. 

  34. 	gen_require(`
    35. 

  35. 		type docker_exec_t;
    36. 

  36. 	')
    37. 

  37. 

  38. 	corecmd_search_bin($1)
    39. 

  39. 	can_exec($1, docker_exec_t)
    40. 

  40. ')
    41. 

  41. 

  42. ########################################
    43. 

  43. ## <summary>
    44. 

  44. ##	Search docker lib directories.
    45. 

  45. ## </summary>
    46. 

  46. ## <param name="domain">
    47. 

  47. ##	<summary>
    48. 

  48. ##	Domain allowed access.
    49. 

  49. ##	</summary>
    50. 

  50. ## </param>
    51. 

  51. #
    52. 

  52. interface(`docker_search_lib',`
    53. 

  53. 	gen_require(`
    54. 

  54. 		type docker_var_lib_t;
    55. 

  55. 	')
    56. 

  56. 

  57. 	allow $1 docker_var_lib_t:dir search_dir_perms;
    58. 

  58. 	files_search_var_lib($1)
    59. 

  59. ')
    60. 

  60. 

  61. ########################################
    62. 

  62. ## <summary>
    63. 

  63. ##	Execute docker lib directories.
    64. 

  64. ## </summary>
    65. 

  65. ## <param name="domain">
    66. 

  66. ##	<summary>
    67. 

  67. ##	Domain allowed access.
    68. 

  68. ##	</summary>
    69. 

  69. ## </param>
    70. 

  70. #
    71. 

  71. interface(`docker_exec_lib',`
    72. 

  72. 	gen_require(`
    73. 

  73. 		type docker_var_lib_t;
    74. 

  74. 	')
    75. 

  75. 

  76. 	allow $1 docker_var_lib_t:dir search_dir_perms;
    77. 

  77. 	can_exec($1, docker_var_lib_t)
    78. 

  78. ')
    79. 

  79. 

  80. ########################################
    81. 

  81. ## <summary>
    82. 

  82. ##	Read docker lib files.
    83. 

  83. ## </summary>
    84. 

  84. ## <param name="domain">
    85. 

  85. ##	<summary>
    86. 

  86. ##	Domain allowed access.
    87. 

  87. ##	</summary>
    88. 

  88. ## </param>
    89. 

  89. #
    90. 

  90. interface(`docker_read_lib_files',`
    91. 

  91. 	gen_require(`
    92. 

  92. 		type docker_var_lib_t;
    93. 

  93. 	')
    94. 

  94. 

  95. 	files_search_var_lib($1)
    96. 

  96. 	read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
    97. 

  97. ')
    98. 

  98. 

  99. ########################################
    100. 

  100. ## <summary>
    101. 

  101. ##	Read docker share files.
    102. 

  102. ## </summary>
    103. 

  103. ## <param name="domain">
    104. 

  104. ##	<summary>
    105. 

  105. ##	Domain allowed access.
    106. 

  106. ##	</summary>
    107. 

  107. ## </param>
    108. 

  108. #
    109. 

  109. interface(`docker_read_share_files',`
    110. 

  110. 	gen_require(`
    111. 

  111. 		type docker_share_t;
    112. 

  112. 	')
    113. 

  113. 

  114. 	files_search_var_lib($1)
    115. 

  115. 	read_files_pattern($1, docker_share_t, docker_share_t)
    116. 

  116. ')
    117. 

  117. 

  118. ########################################
    119. 

  119. ## <summary>
    120. 

  120. ##	Manage docker lib files.
    121. 

  121. ## </summary>
    122. 

  122. ## <param name="domain">
    123. 

  123. ##	<summary>
    124. 

  124. ##	Domain allowed access.
    125. 

  125. ##	</summary>
    126. 

  126. ## </param>
    127. 

  127. #
    128. 

  128. interface(`docker_manage_lib_files',`
    129. 

  129. 	gen_require(`
    130. 

  130. 		type docker_var_lib_t;
    131. 

  131. 	')
    132. 

  132. 

  133. 	files_search_var_lib($1)
    134. 

  134. 	manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
    135. 

  135. 	manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
    136. 

  136. ')
    137. 

  137. 

  138. ########################################
    139. 

  139. ## <summary>
    140. 

  140. ##	Manage docker lib directories.
    141. 

  141. ## </summary>
    142. 

  142. ## <param name="domain">
    143. 

  143. ##	<summary>
    144. 

  144. ##	Domain allowed access.
    145. 

  145. ##	</summary>
    146. 

  146. ## </param>
    147. 

  147. #
    148. 

  148. interface(`docker_manage_lib_dirs',`
    149. 

  149. 	gen_require(`
    150. 

  150. 		type docker_var_lib_t;
    151. 

  151. 	')
    152. 

  152. 

  153. 	files_search_var_lib($1)
    154. 

  154. 	manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
    155. 

  155. ')
    156. 

  156. 

  157. ########################################
    158. 

  158. ## <summary>
    159. 

  159. ##	Create objects in a docker var lib directory
    160. 

  160. ##	with an automatic type transition to
    161. 

  161. ##	a specified private type.
    162. 

  162. ## </summary>
    163. 

  163. ## <param name="domain">
    164. 

  164. ##	<summary>
    165. 

  165. ##	Domain allowed access.
    166. 

  166. ##	</summary>
    167. 

  167. ## </param>
    168. 

  168. ## <param name="private_type">
    169. 

  169. ##	<summary>
    170. 

  170. ##	The type of the object to create.
    171. 

  171. ##	</summary>
    172. 

  172. ## </param>
    173. 

  173. ## <param name="object_class">
    174. 

  174. ##	<summary>
    175. 

  175. ##	The class of the object to be created.
    176. 

  176. ##	</summary>
    177. 

  177. ## </param>
    178. 

  178. ## <param name="name" optional="true">
    179. 

  179. ##	<summary>
    180. 

  180. ##	The name of the object being created.
    181. 

  181. ##	</summary>
    182. 

  182. ## </param>
    183. 

  183. #
    184. 

  184. interface(`docker_lib_filetrans',`
    185. 

  185. 	gen_require(`
    186. 

  186. 		type docker_var_lib_t;
    187. 

  187. 	')
    188. 

  188. 

  189. 	filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
    190. 

  190. ')
    191. 

  191. 

  192. ########################################
    193. 

  193. ## <summary>
    194. 

  194. ##	Read docker PID files.
    195. 

  195. ## </summary>
    196. 

  196. ## <param name="domain">
    197. 

  197. ##	<summary>
    198. 

  198. ##	Domain allowed access.
    199. 

  199. ##	</summary>
    200. 

  200. ## </param>
    201. 

  201. #
    202. 

  202. interface(`docker_read_pid_files',`
    203. 

  203. 	gen_require(`
    204. 

  204. 		type docker_var_run_t;
    205. 

  205. 	')
    206. 

  206. 

  207. 	files_search_pids($1)
    208. 

  208. 	read_files_pattern($1, docker_var_run_t, docker_var_run_t)
    209. 

  209. ')
    210. 

  210. 

  211. ########################################
    212. 

  212. ## <summary>
    213. 

  213. ##	Execute docker server in the docker domain.
    214. 

  214. ## </summary>
    215. 

  215. ## <param name="domain">
    216. 

  216. ##	<summary>
    217. 

  217. ##	Domain allowed to transition.
    218. 

  218. ##	</summary>
    219. 

  219. ## </param>
    220. 

  220. #
    221. 

  221. interface(`docker_systemctl',`
    222. 

  222. 	gen_require(`
    223. 

  223. 		type docker_t;
    224. 

  224. 		type docker_unit_file_t;
    225. 

  225. 	')
    226. 

  226. 

  227. 	systemd_exec_systemctl($1)
    228. 

  228. 	init_reload_services($1)
    229. 

  229.         systemd_read_fifo_file_passwd_run($1)
    230. 

  230. 	allow $1 docker_unit_file_t:file read_file_perms;
    231. 

  231. 	allow $1 docker_unit_file_t:service manage_service_perms;
    232. 

  232. 

  233. 	ps_process_pattern($1, docker_t)
    234. 

  234. ')
    235. 

  235. 

  236. ########################################
    237. 

  237. ## <summary>
    238. 

  238. ##	Read and write docker shared memory.
    239. 

  239. ## </summary>
    240. 

  240. ## <param name="domain">
    241. 

  241. ##	<summary>
    242. 

  242. ##	Domain allowed access.
    243. 

  243. ##	</summary>
    244. 

  244. ## </param>
    245. 

  245. #
    246. 

  246. interface(`docker_rw_sem',`
    247. 

  247. 	gen_require(`
    248. 

  248. 		type docker_t;
    249. 

  249. 	')
    250. 

  250. 

  251. 	allow $1 docker_t:sem rw_sem_perms;
    252. 

  252. ')
    253. 

  253. 

  254. #######################################
    255. 

  255. ## <summary>
    256. 

  256. ##  Read and write the docker pty type.
    257. 

  257. ## </summary>
    258. 

  258. ## <param name="domain">
    259. 

  259. ##  <summary>
    260. 

  260. ##  Domain allowed access.
    261. 

  261. ##  </summary>
    262. 

  262. ## </param>
    263. 

  263. #
    264. 

  264. interface(`docker_use_ptys',`
    265. 

  265.     gen_require(`
    266. 

  266.         type docker_devpts_t;
    267. 

  267.     ')
    268. 

  268. 

  269.     allow $1 docker_devpts_t:chr_file rw_term_perms;
    270. 

  270. ')
    271. 

  271. 

  272. #######################################
    273. 

  273. ## <summary>
    274. 

  274. ##      Allow domain to create docker content
    275. 

  275. ## </summary>
    276. 

  276. ## <param name="domain">
    277. 

  277. ##      <summary>
    278. 

  278. ##      Domain allowed access.
    279. 

  279. ##      </summary>
    280. 

  280. ## </param>
    281. 

  281. #
    282. 

  282. interface(`docker_filetrans_named_content',`
    283. 

  283. 

  284.     gen_require(`
    285. 

  285.         type docker_var_lib_t;
    286. 

  286.         type docker_share_t;
    287. 

  287. 	type docker_log_t;
    288. 

  288. 	    type docker_var_run_t;
    289. 

  289.         type docker_home_t;
    290. 

  290.     ')
    291. 

  291. 

  292.     files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
    293. 

  293.     files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
    294. 

  294.     files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
    295. 

  295.     files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
    296. 

  296.     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
    297. 

  297.     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
    298. 

  298.     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
    299. 

  299.     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
    300. 

  300.     filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
    301. 

  301.     userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
    302. 

  302. ')
    303. 

  303. 

  304. ########################################
    305. 

  305. ## <summary>
    306. 

  306. ##	Connect to docker over a unix stream socket.
    307. 

  307. ## </summary>
    308. 

  308. ## <param name="domain">
    309. 

  309. ##	<summary>
    310. 

  310. ##	Domain allowed access.
    311. 

  311. ##	</summary>
    312. 

  312. ## </param>
    313. 

  313. #
    314. 

  314. interface(`docker_stream_connect',`
    315. 

  315. 	gen_require(`
    316. 

  316. 		type docker_t, docker_var_run_t;
    317. 

  317. 	')
    318. 

  318. 

  319. 	files_search_pids($1)
    320. 

  320. 	stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
    321. 

  321. ')
    322. 

  322. 

  323. ########################################
    324. 

  324. ## <summary>
    325. 

  325. ##	Connect to SPC containers over a unix stream socket.
    326. 

  326. ## </summary>
    327. 

  327. ## <param name="domain">
    328. 

  328. ##	<summary>
    329. 

  329. ##	Domain allowed access.
    330. 

  330. ##	</summary>
    331. 

  331. ## </param>
    332. 

  332. #
    333. 

  333. interface(`docker_spc_stream_connect',`
    334. 

  334. 	gen_require(`
    335. 

  335. 		type spc_t, spc_var_run_t;
    336. 

  336. 	')
    337. 

  337. 

  338. 	files_search_pids($1)
    339. 

  339. 	files_write_all_pid_sockets($1)
    340. 

  340. 	allow $1 spc_t:unix_stream_socket connectto;
    341. 

  341. ')
    342. 

  342. 

  343. 

  344. ########################################
    345. 

  345. ## <summary>
    346. 

  346. ##	All of the rules required to administrate
    347. 

  347. ##	an docker environment
    348. 

  348. ## </summary>
    349. 

  349. ## <param name="domain">
    350. 

  350. ##	<summary>
    351. 

  351. ##	Domain allowed access.
    352. 

  352. ##	</summary>
    353. 

  353. ## </param>
    354. 

  354. #
    355. 

  355. interface(`docker_admin',`
    356. 

  356. 	gen_require(`
    357. 

  357. 		type docker_t;
    358. 

  358. 		type docker_var_lib_t, docker_var_run_t;
    359. 

  359. 		type docker_unit_file_t;
    360. 

  360. 		type docker_lock_t;
    361. 

  361. 		type docker_log_t;
    362. 

  362. 		type docker_config_t;
    363. 

  363. 	')
    364. 

  364. 

  365. 	allow $1 docker_t:process { ptrace signal_perms };
    366. 

  366. 	ps_process_pattern($1, docker_t)
    367. 

  367. 

  368. 	admin_pattern($1, docker_config_t)
    369. 

  369. 

  370. 	files_search_var_lib($1)
    371. 

  371. 	admin_pattern($1, docker_var_lib_t)
    372. 

  372. 

  373. 	files_search_pids($1)
    374. 

  374. 	admin_pattern($1, docker_var_run_t)
    375. 

  375. 

  376. 	files_search_locks($1)
    377. 

  377. 	admin_pattern($1, docker_lock_t)
    378. 

  378. 

  379. 	logging_search_logs($1)
    380. 

  380. 	admin_pattern($1, docker_log_t)
    381. 

  381. 

  382. 	docker_systemctl($1)
    383. 

  383. 	admin_pattern($1, docker_unit_file_t)
    384. 

  384. 	allow $1 docker_unit_file_t:service all_service_perms;
    385. 

  385. 

  386. 	optional_policy(`
    387. 

  387. 		systemd_passwd_agent_exec($1)
    388. 

  388. 		systemd_read_fifo_file_passwd_run($1)
    389. 

  389. 	')
    390. 

  390. ')
    391. 

  391. 

  392. interface(`domain_stub_named_filetrans_domain',`
    393. 

  393.     gen_require(`
    394. 

  394.         attribute named_filetrans_domain;
    395. 

  395.     ')
    396. 

  396. ')
    397. 

  397. 

  398. interface(`lvm_stub',`
    399. 

  399.     gen_require(`
    400. 

  400.         type lvm_t;
    401. 

  401.     ')
    402. 

  402. ')
    403. 

  403. interface(`staff_stub',`
    404. 

  404.     gen_require(`
    405. 

  405.         type staff_t;
    406. 

  406.     ')
    407. 

  407. ')
    408. 

  408. interface(`virt_stub_svirt_sandbox_domain',`
    409. 

  409. 	gen_require(`
    410. 

  410. 		attribute svirt_sandbox_domain;
    411. 

  411. 	')
    412. 

  412. ')
    413. 

  413. interface(`virt_stub_svirt_sandbox_file',`
    414. 

  414. 	gen_require(`
    415. 

  415. 		type svirt_sandbox_file_t;
    416. 

  416. 	')
    417. 

  417. ')
    418. 

  418. interface(`fs_dontaudit_remount_tmpfs',`
    419. 

  419. 	gen_require(`
    420. 

  420. 		type tmpfs_t;
    421. 

  421. 	')
    422. 

  422. 

  423. 	dontaudit $1 tmpfs_t:filesystem remount;
    424. 

  424. ')
    425. 

  425. interface(`dev_dontaudit_list_all_dev_nodes',`
    426. 

  426. 	gen_require(`
    427. 

  427. 		type device_t;
    428. 

  428. 	')
    429. 

  429. 

  430. 	dontaudit $1 device_t:dir list_dir_perms;
    431. 

  431. ')
    432. 

  432. interface(`kernel_unlabeled_entry_type',`
    433. 

  433. 	gen_require(`
    434. 

  434. 		type unlabeled_t;
    435. 

  435. 	')
    436. 

  436. 

  437. 	domain_entry_file($1, unlabeled_t)
    438. 

  438. ')
    439. 

  439. interface(`kernel_unlabeled_domtrans',`
    440. 

  440. 	gen_require(`
    441. 

  441. 		type unlabeled_t;
    442. 

  442. 	')
    443. 

  443. 

  444. 	read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
    445. 

  445. 	domain_transition_pattern($1, unlabeled_t, $2)
    446. 

  446. 	type_transition $1 unlabeled_t:process $2;
    447. 

  447. ')
    448. 

  448. interface(`files_write_all_pid_sockets',`
    449. 

  449. 	gen_require(`
    450. 

  450. 		attribute pidfile;
    451. 

  451. 	')
    452. 

  452. 

  453. 	allow $1 pidfile:sock_file write_sock_file_perms;
    454. 

  454. ')
    455. 

  455. interface(`dev_dontaudit_mounton_sysfs',`
    456. 

  456. 	gen_require(`
    457. 

  457. 		type sysfs_t;
    458. 

  458. 	')
    459. 

  459. 

  460. 	dontaudit $1 sysfs_t:dir mounton;
    461. 

  461. ')
    462.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5