123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659 |
- ## <summary>The open-source application container engine.</summary>
- ########################################
- ## <summary>
- ## Execute docker in the docker domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed to transition.
- ## </summary>
- ## </param>
- #
- interface(`docker_domtrans',`
- gen_require(`
- type docker_t, docker_exec_t;
- ')
- corecmd_search_bin($1)
- domtrans_pattern($1, docker_exec_t, docker_t)
- ')
- ########################################
- ## <summary>
- ## Execute docker in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed to transition.
- ## </summary>
- ## </param>
- #
- interface(`docker_exec',`
- gen_require(`
- type docker_exec_t;
- ')
- corecmd_search_bin($1)
- can_exec($1, docker_exec_t)
- ')
- ########################################
- ## <summary>
- ## Search docker lib directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_search_lib',`
- gen_require(`
- type docker_var_lib_t;
- ')
- allow $1 docker_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
- ')
- ########################################
- ## <summary>
- ## Execute docker lib directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_exec_lib',`
- gen_require(`
- type docker_var_lib_t;
- ')
- allow $1 docker_var_lib_t:dir search_dir_perms;
- can_exec($1, docker_var_lib_t)
- ')
- ########################################
- ## <summary>
- ## Read docker lib files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_read_lib_files',`
- gen_require(`
- type docker_var_lib_t;
- ')
- files_search_var_lib($1)
- read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
- ')
- ########################################
- ## <summary>
- ## Read docker share files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_read_share_files',`
- gen_require(`
- type docker_share_t;
- ')
- files_search_var_lib($1)
- list_dirs_pattern($1, docker_share_t, docker_share_t)
- read_files_pattern($1, docker_share_t, docker_share_t)
- read_lnk_files_pattern($1, docker_share_t, docker_share_t)
- ')
- ######################################
- ## <summary>
- ## Allow the specified domain to execute docker shared files
- ## in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_exec_share_files',`
- gen_require(`
- type docker_share_t;
- ')
- can_exec($1, docker_share_t)
- ')
- ########################################
- ## <summary>
- ## Manage docker lib files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_manage_lib_files',`
- gen_require(`
- type docker_var_lib_t;
- ')
- files_search_var_lib($1)
- manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
- manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
- ')
- ########################################
- ## <summary>
- ## Manage docker lib directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_manage_lib_dirs',`
- gen_require(`
- type docker_var_lib_t;
- ')
- files_search_var_lib($1)
- manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
- ')
- ########################################
- ## <summary>
- ## Create objects in a docker var lib directory
- ## with an automatic type transition to
- ## a specified private type.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- ## <param name="private_type">
- ## <summary>
- ## The type of the object to create.
- ## </summary>
- ## </param>
- ## <param name="object_class">
- ## <summary>
- ## The class of the object to be created.
- ## </summary>
- ## </param>
- ## <param name="name" optional="true">
- ## <summary>
- ## The name of the object being created.
- ## </summary>
- ## </param>
- #
- interface(`docker_lib_filetrans',`
- gen_require(`
- type docker_var_lib_t;
- ')
- filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
- ')
- ########################################
- ## <summary>
- ## Read docker PID files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_read_pid_files',`
- gen_require(`
- type docker_var_run_t;
- ')
- files_search_pids($1)
- read_files_pattern($1, docker_var_run_t, docker_var_run_t)
- ')
- ########################################
- ## <summary>
- ## Execute docker server in the docker domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed to transition.
- ## </summary>
- ## </param>
- #
- interface(`docker_systemctl',`
- gen_require(`
- type docker_t;
- type docker_unit_file_t;
- ')
- systemd_exec_systemctl($1)
- init_reload_services($1)
- systemd_read_fifo_file_passwd_run($1)
- allow $1 docker_unit_file_t:file read_file_perms;
- allow $1 docker_unit_file_t:service manage_service_perms;
- ps_process_pattern($1, docker_t)
- ')
- ########################################
- ## <summary>
- ## Read and write docker shared memory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_rw_sem',`
- gen_require(`
- type docker_t;
- ')
- allow $1 docker_t:sem rw_sem_perms;
- ')
- #######################################
- ## <summary>
- ## Read and write the docker pty type.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_use_ptys',`
- gen_require(`
- type docker_devpts_t;
- ')
- allow $1 docker_devpts_t:chr_file rw_term_perms;
- ')
- #######################################
- ## <summary>
- ## Allow domain to create docker content
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_filetrans_named_content',`
- gen_require(`
- type docker_var_lib_t;
- type docker_share_t;
- type docker_log_t;
- type docker_var_run_t;
- type docker_home_t;
- ')
- files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
- files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
- files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
- logging_log_filetrans($1, docker_log_t, dir, "lxc")
- files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
- userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
- ')
- ########################################
- ## <summary>
- ## Connect to docker over a unix stream socket.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_stream_connect',`
- gen_require(`
- type docker_t, docker_var_run_t;
- ')
- files_search_pids($1)
- stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
- ')
- ########################################
- ## <summary>
- ## Connect to SPC containers over a unix stream socket.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_spc_stream_connect',`
- gen_require(`
- type spc_t, spc_var_run_t;
- ')
- files_search_pids($1)
- files_write_all_pid_sockets($1)
- allow $1 spc_t:unix_stream_socket connectto;
- ')
- ########################################
- ## <summary>
- ## All of the rules required to administrate
- ## an docker environment
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_admin',`
- gen_require(`
- type docker_t;
- type docker_var_lib_t, docker_var_run_t;
- type docker_unit_file_t;
- type docker_lock_t;
- type docker_log_t;
- type docker_config_t;
- ')
- allow $1 docker_t:process { ptrace signal_perms };
- ps_process_pattern($1, docker_t)
- admin_pattern($1, docker_config_t)
- files_search_var_lib($1)
- admin_pattern($1, docker_var_lib_t)
- files_search_pids($1)
- admin_pattern($1, docker_var_run_t)
- files_search_locks($1)
- admin_pattern($1, docker_lock_t)
- logging_search_logs($1)
- admin_pattern($1, docker_log_t)
- docker_systemctl($1)
- admin_pattern($1, docker_unit_file_t)
- allow $1 docker_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
- ')
- ########################################
- ## <summary>
- ## Execute docker_auth_exec_t in the docker_auth domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed to transition.
- ## </summary>
- ## </param>
- #
- interface(`docker_auth_domtrans',`
- gen_require(`
- type docker_auth_t, docker_auth_exec_t;
- ')
- corecmd_search_bin($1)
- domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
- ')
- ######################################
- ## <summary>
- ## Execute docker_auth in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_auth_exec',`
- gen_require(`
- type docker_auth_exec_t;
- ')
- corecmd_search_bin($1)
- can_exec($1, docker_auth_exec_t)
- ')
- ########################################
- ## <summary>
- ## Connect to docker_auth over a unix stream socket.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_auth_stream_connect',`
- gen_require(`
- type docker_auth_t, docker_plugin_var_run_t;
- ')
- files_search_pids($1)
- stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
- ')
- ########################################
- ## <summary>
- ## docker domain typebounds calling domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain to be typebound.
- ## </summary>
- ## </param>
- #
- interface(`docker_typebounds',`
- gen_require(`
- type docker_t;
- ')
- typebounds docker_t $1;
- ')
- ########################################
- ## <summary>
- ## Allow any docker_exec_t to be an entrypoint of this domain
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- ## <rolecap/>
- #
- interface(`docker_entrypoint',`
- gen_require(`
- type docker_exec_t;
- ')
- allow $1 docker_exec_t:file entrypoint;
- ')
- ########################################
- ## <summary>
- ## Send and receive messages from
- ## systemd machined over dbus.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`systemd_dbus_chat_machined',`
- gen_require(`
- type systemd_machined_t;
- class dbus send_msg;
- ')
- allow $1 systemd_machined_t:dbus send_msg;
- allow systemd_machined_t $1:dbus send_msg;
- ps_process_pattern(systemd_machined_t, $1)
- ')
- ########################################
- ## <summary>
- ## Allow any svirt_sandbox_file_t to be an entrypoint of this domain
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- ## <rolecap/>
- #
- interface(`virt_sandbox_entrypoint',`
- gen_require(`
- type svirt_sandbox_file_t;
- ')
- allow $1 svirt_sandbox_file_t:file entrypoint;
- ')
- ########################################
- ## <summary>
- ## Send and receive messages from
- ## virt over dbus.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`virt_dbus_chat',`
- gen_require(`
- type virtd_t;
- class dbus send_msg;
- ')
- allow $1 virtd_t:dbus send_msg;
- allow virtd_t $1:dbus send_msg;
- ps_process_pattern(virtd_t, $1)
- ')
- #######################################
- ## <summary>
- ## Read the process state of virt sandbox containers
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`virt_sandbox_read_state',`
- gen_require(`
- attribute svirt_sandbox_domain;
- ')
- ps_process_pattern($1, svirt_sandbox_domain)
- ')
- ######################################
- ## <summary>
- ## Send a signal to sandbox domains
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`virt_signal_sandbox',`
- gen_require(`
- attribute svirt_sandbox_domain;
- ')
- allow $1 svirt_sandbox_domain:process signal;
- ')
- #######################################
- ## <summary>
- ## Getattr Sandbox File systems
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`virt_getattr_sandbox_filesystem',`
- gen_require(`
- type svirt_sandbox_file_t;
- ')
- allow $1 svirt_sandbox_file_t:filesystem getattr;
- ')
- #######################################
- ## <summary>
- ## Read Sandbox Files
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`virt_read_sandbox_files',`
- gen_require(`
- type svirt_sandbox_file_t;
- ')
- list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
- read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
- read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
- ')
- #######################################
- ## <summary>
- ## Read the process state of spc containers
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
- interface(`docker_spc_read_state',`
- gen_require(`
- type spc_t;
- ')
- ps_process_pattern($1, spc_t)
- ')
|