docker.if 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659
  1. ## <summary>The open-source application container engine.</summary>
  2. ########################################
  3. ## <summary>
  4. ## Execute docker in the docker domain.
  5. ## </summary>
  6. ## <param name="domain">
  7. ## <summary>
  8. ## Domain allowed to transition.
  9. ## </summary>
  10. ## </param>
  11. #
  12. interface(`docker_domtrans',`
  13. gen_require(`
  14. type docker_t, docker_exec_t;
  15. ')
  16. corecmd_search_bin($1)
  17. domtrans_pattern($1, docker_exec_t, docker_t)
  18. ')
  19. ########################################
  20. ## <summary>
  21. ## Execute docker in the caller domain.
  22. ## </summary>
  23. ## <param name="domain">
  24. ## <summary>
  25. ## Domain allowed to transition.
  26. ## </summary>
  27. ## </param>
  28. #
  29. interface(`docker_exec',`
  30. gen_require(`
  31. type docker_exec_t;
  32. ')
  33. corecmd_search_bin($1)
  34. can_exec($1, docker_exec_t)
  35. ')
  36. ########################################
  37. ## <summary>
  38. ## Search docker lib directories.
  39. ## </summary>
  40. ## <param name="domain">
  41. ## <summary>
  42. ## Domain allowed access.
  43. ## </summary>
  44. ## </param>
  45. #
  46. interface(`docker_search_lib',`
  47. gen_require(`
  48. type docker_var_lib_t;
  49. ')
  50. allow $1 docker_var_lib_t:dir search_dir_perms;
  51. files_search_var_lib($1)
  52. ')
  53. ########################################
  54. ## <summary>
  55. ## Execute docker lib directories.
  56. ## </summary>
  57. ## <param name="domain">
  58. ## <summary>
  59. ## Domain allowed access.
  60. ## </summary>
  61. ## </param>
  62. #
  63. interface(`docker_exec_lib',`
  64. gen_require(`
  65. type docker_var_lib_t;
  66. ')
  67. allow $1 docker_var_lib_t:dir search_dir_perms;
  68. can_exec($1, docker_var_lib_t)
  69. ')
  70. ########################################
  71. ## <summary>
  72. ## Read docker lib files.
  73. ## </summary>
  74. ## <param name="domain">
  75. ## <summary>
  76. ## Domain allowed access.
  77. ## </summary>
  78. ## </param>
  79. #
  80. interface(`docker_read_lib_files',`
  81. gen_require(`
  82. type docker_var_lib_t;
  83. ')
  84. files_search_var_lib($1)
  85. read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
  86. ')
  87. ########################################
  88. ## <summary>
  89. ## Read docker share files.
  90. ## </summary>
  91. ## <param name="domain">
  92. ## <summary>
  93. ## Domain allowed access.
  94. ## </summary>
  95. ## </param>
  96. #
  97. interface(`docker_read_share_files',`
  98. gen_require(`
  99. type docker_share_t;
  100. ')
  101. files_search_var_lib($1)
  102. list_dirs_pattern($1, docker_share_t, docker_share_t)
  103. read_files_pattern($1, docker_share_t, docker_share_t)
  104. read_lnk_files_pattern($1, docker_share_t, docker_share_t)
  105. ')
  106. ######################################
  107. ## <summary>
  108. ## Allow the specified domain to execute docker shared files
  109. ## in the caller domain.
  110. ## </summary>
  111. ## <param name="domain">
  112. ## <summary>
  113. ## Domain allowed access.
  114. ## </summary>
  115. ## </param>
  116. #
  117. interface(`docker_exec_share_files',`
  118. gen_require(`
  119. type docker_share_t;
  120. ')
  121. can_exec($1, docker_share_t)
  122. ')
  123. ########################################
  124. ## <summary>
  125. ## Manage docker lib files.
  126. ## </summary>
  127. ## <param name="domain">
  128. ## <summary>
  129. ## Domain allowed access.
  130. ## </summary>
  131. ## </param>
  132. #
  133. interface(`docker_manage_lib_files',`
  134. gen_require(`
  135. type docker_var_lib_t;
  136. ')
  137. files_search_var_lib($1)
  138. manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
  139. manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
  140. ')
  141. ########################################
  142. ## <summary>
  143. ## Manage docker lib directories.
  144. ## </summary>
  145. ## <param name="domain">
  146. ## <summary>
  147. ## Domain allowed access.
  148. ## </summary>
  149. ## </param>
  150. #
  151. interface(`docker_manage_lib_dirs',`
  152. gen_require(`
  153. type docker_var_lib_t;
  154. ')
  155. files_search_var_lib($1)
  156. manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
  157. ')
  158. ########################################
  159. ## <summary>
  160. ## Create objects in a docker var lib directory
  161. ## with an automatic type transition to
  162. ## a specified private type.
  163. ## </summary>
  164. ## <param name="domain">
  165. ## <summary>
  166. ## Domain allowed access.
  167. ## </summary>
  168. ## </param>
  169. ## <param name="private_type">
  170. ## <summary>
  171. ## The type of the object to create.
  172. ## </summary>
  173. ## </param>
  174. ## <param name="object_class">
  175. ## <summary>
  176. ## The class of the object to be created.
  177. ## </summary>
  178. ## </param>
  179. ## <param name="name" optional="true">
  180. ## <summary>
  181. ## The name of the object being created.
  182. ## </summary>
  183. ## </param>
  184. #
  185. interface(`docker_lib_filetrans',`
  186. gen_require(`
  187. type docker_var_lib_t;
  188. ')
  189. filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
  190. ')
  191. ########################################
  192. ## <summary>
  193. ## Read docker PID files.
  194. ## </summary>
  195. ## <param name="domain">
  196. ## <summary>
  197. ## Domain allowed access.
  198. ## </summary>
  199. ## </param>
  200. #
  201. interface(`docker_read_pid_files',`
  202. gen_require(`
  203. type docker_var_run_t;
  204. ')
  205. files_search_pids($1)
  206. read_files_pattern($1, docker_var_run_t, docker_var_run_t)
  207. ')
  208. ########################################
  209. ## <summary>
  210. ## Execute docker server in the docker domain.
  211. ## </summary>
  212. ## <param name="domain">
  213. ## <summary>
  214. ## Domain allowed to transition.
  215. ## </summary>
  216. ## </param>
  217. #
  218. interface(`docker_systemctl',`
  219. gen_require(`
  220. type docker_t;
  221. type docker_unit_file_t;
  222. ')
  223. systemd_exec_systemctl($1)
  224. init_reload_services($1)
  225. systemd_read_fifo_file_passwd_run($1)
  226. allow $1 docker_unit_file_t:file read_file_perms;
  227. allow $1 docker_unit_file_t:service manage_service_perms;
  228. ps_process_pattern($1, docker_t)
  229. ')
  230. ########################################
  231. ## <summary>
  232. ## Read and write docker shared memory.
  233. ## </summary>
  234. ## <param name="domain">
  235. ## <summary>
  236. ## Domain allowed access.
  237. ## </summary>
  238. ## </param>
  239. #
  240. interface(`docker_rw_sem',`
  241. gen_require(`
  242. type docker_t;
  243. ')
  244. allow $1 docker_t:sem rw_sem_perms;
  245. ')
  246. #######################################
  247. ## <summary>
  248. ## Read and write the docker pty type.
  249. ## </summary>
  250. ## <param name="domain">
  251. ## <summary>
  252. ## Domain allowed access.
  253. ## </summary>
  254. ## </param>
  255. #
  256. interface(`docker_use_ptys',`
  257. gen_require(`
  258. type docker_devpts_t;
  259. ')
  260. allow $1 docker_devpts_t:chr_file rw_term_perms;
  261. ')
  262. #######################################
  263. ## <summary>
  264. ## Allow domain to create docker content
  265. ## </summary>
  266. ## <param name="domain">
  267. ## <summary>
  268. ## Domain allowed access.
  269. ## </summary>
  270. ## </param>
  271. #
  272. interface(`docker_filetrans_named_content',`
  273. gen_require(`
  274. type docker_var_lib_t;
  275. type docker_share_t;
  276. type docker_log_t;
  277. type docker_var_run_t;
  278. type docker_home_t;
  279. ')
  280. files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
  281. files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
  282. files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
  283. logging_log_filetrans($1, docker_log_t, dir, "lxc")
  284. files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
  285. filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
  286. filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
  287. filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
  288. filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
  289. filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
  290. userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
  291. ')
  292. ########################################
  293. ## <summary>
  294. ## Connect to docker over a unix stream socket.
  295. ## </summary>
  296. ## <param name="domain">
  297. ## <summary>
  298. ## Domain allowed access.
  299. ## </summary>
  300. ## </param>
  301. #
  302. interface(`docker_stream_connect',`
  303. gen_require(`
  304. type docker_t, docker_var_run_t;
  305. ')
  306. files_search_pids($1)
  307. stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
  308. ')
  309. ########################################
  310. ## <summary>
  311. ## Connect to SPC containers over a unix stream socket.
  312. ## </summary>
  313. ## <param name="domain">
  314. ## <summary>
  315. ## Domain allowed access.
  316. ## </summary>
  317. ## </param>
  318. #
  319. interface(`docker_spc_stream_connect',`
  320. gen_require(`
  321. type spc_t, spc_var_run_t;
  322. ')
  323. files_search_pids($1)
  324. files_write_all_pid_sockets($1)
  325. allow $1 spc_t:unix_stream_socket connectto;
  326. ')
  327. ########################################
  328. ## <summary>
  329. ## All of the rules required to administrate
  330. ## an docker environment
  331. ## </summary>
  332. ## <param name="domain">
  333. ## <summary>
  334. ## Domain allowed access.
  335. ## </summary>
  336. ## </param>
  337. #
  338. interface(`docker_admin',`
  339. gen_require(`
  340. type docker_t;
  341. type docker_var_lib_t, docker_var_run_t;
  342. type docker_unit_file_t;
  343. type docker_lock_t;
  344. type docker_log_t;
  345. type docker_config_t;
  346. ')
  347. allow $1 docker_t:process { ptrace signal_perms };
  348. ps_process_pattern($1, docker_t)
  349. admin_pattern($1, docker_config_t)
  350. files_search_var_lib($1)
  351. admin_pattern($1, docker_var_lib_t)
  352. files_search_pids($1)
  353. admin_pattern($1, docker_var_run_t)
  354. files_search_locks($1)
  355. admin_pattern($1, docker_lock_t)
  356. logging_search_logs($1)
  357. admin_pattern($1, docker_log_t)
  358. docker_systemctl($1)
  359. admin_pattern($1, docker_unit_file_t)
  360. allow $1 docker_unit_file_t:service all_service_perms;
  361. optional_policy(`
  362. systemd_passwd_agent_exec($1)
  363. systemd_read_fifo_file_passwd_run($1)
  364. ')
  365. ')
  366. ########################################
  367. ## <summary>
  368. ## Execute docker_auth_exec_t in the docker_auth domain.
  369. ## </summary>
  370. ## <param name="domain">
  371. ## <summary>
  372. ## Domain allowed to transition.
  373. ## </summary>
  374. ## </param>
  375. #
  376. interface(`docker_auth_domtrans',`
  377. gen_require(`
  378. type docker_auth_t, docker_auth_exec_t;
  379. ')
  380. corecmd_search_bin($1)
  381. domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
  382. ')
  383. ######################################
  384. ## <summary>
  385. ## Execute docker_auth in the caller domain.
  386. ## </summary>
  387. ## <param name="domain">
  388. ## <summary>
  389. ## Domain allowed access.
  390. ## </summary>
  391. ## </param>
  392. #
  393. interface(`docker_auth_exec',`
  394. gen_require(`
  395. type docker_auth_exec_t;
  396. ')
  397. corecmd_search_bin($1)
  398. can_exec($1, docker_auth_exec_t)
  399. ')
  400. ########################################
  401. ## <summary>
  402. ## Connect to docker_auth over a unix stream socket.
  403. ## </summary>
  404. ## <param name="domain">
  405. ## <summary>
  406. ## Domain allowed access.
  407. ## </summary>
  408. ## </param>
  409. #
  410. interface(`docker_auth_stream_connect',`
  411. gen_require(`
  412. type docker_auth_t, docker_plugin_var_run_t;
  413. ')
  414. files_search_pids($1)
  415. stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
  416. ')
  417. ########################################
  418. ## <summary>
  419. ## docker domain typebounds calling domain.
  420. ## </summary>
  421. ## <param name="domain">
  422. ## <summary>
  423. ## Domain to be typebound.
  424. ## </summary>
  425. ## </param>
  426. #
  427. interface(`docker_typebounds',`
  428. gen_require(`
  429. type docker_t;
  430. ')
  431. typebounds docker_t $1;
  432. ')
  433. ########################################
  434. ## <summary>
  435. ## Allow any docker_exec_t to be an entrypoint of this domain
  436. ## </summary>
  437. ## <param name="domain">
  438. ## <summary>
  439. ## Domain allowed access.
  440. ## </summary>
  441. ## </param>
  442. ## <rolecap/>
  443. #
  444. interface(`docker_entrypoint',`
  445. gen_require(`
  446. type docker_exec_t;
  447. ')
  448. allow $1 docker_exec_t:file entrypoint;
  449. ')
  450. ########################################
  451. ## <summary>
  452. ## Send and receive messages from
  453. ## systemd machined over dbus.
  454. ## </summary>
  455. ## <param name="domain">
  456. ## <summary>
  457. ## Domain allowed access.
  458. ## </summary>
  459. ## </param>
  460. #
  461. interface(`systemd_dbus_chat_machined',`
  462. gen_require(`
  463. type systemd_machined_t;
  464. class dbus send_msg;
  465. ')
  466. allow $1 systemd_machined_t:dbus send_msg;
  467. allow systemd_machined_t $1:dbus send_msg;
  468. ps_process_pattern(systemd_machined_t, $1)
  469. ')
  470. ########################################
  471. ## <summary>
  472. ## Allow any svirt_sandbox_file_t to be an entrypoint of this domain
  473. ## </summary>
  474. ## <param name="domain">
  475. ## <summary>
  476. ## Domain allowed access.
  477. ## </summary>
  478. ## </param>
  479. ## <rolecap/>
  480. #
  481. interface(`virt_sandbox_entrypoint',`
  482. gen_require(`
  483. type svirt_sandbox_file_t;
  484. ')
  485. allow $1 svirt_sandbox_file_t:file entrypoint;
  486. ')
  487. ########################################
  488. ## <summary>
  489. ## Send and receive messages from
  490. ## virt over dbus.
  491. ## </summary>
  492. ## <param name="domain">
  493. ## <summary>
  494. ## Domain allowed access.
  495. ## </summary>
  496. ## </param>
  497. #
  498. interface(`virt_dbus_chat',`
  499. gen_require(`
  500. type virtd_t;
  501. class dbus send_msg;
  502. ')
  503. allow $1 virtd_t:dbus send_msg;
  504. allow virtd_t $1:dbus send_msg;
  505. ps_process_pattern(virtd_t, $1)
  506. ')
  507. #######################################
  508. ## <summary>
  509. ## Read the process state of virt sandbox containers
  510. ## </summary>
  511. ## <param name="domain">
  512. ## <summary>
  513. ## Domain allowed access.
  514. ## </summary>
  515. ## </param>
  516. #
  517. interface(`virt_sandbox_read_state',`
  518. gen_require(`
  519. attribute svirt_sandbox_domain;
  520. ')
  521. ps_process_pattern($1, svirt_sandbox_domain)
  522. ')
  523. ######################################
  524. ## <summary>
  525. ## Send a signal to sandbox domains
  526. ## </summary>
  527. ## <param name="domain">
  528. ## <summary>
  529. ## Domain allowed access.
  530. ## </summary>
  531. ## </param>
  532. #
  533. interface(`virt_signal_sandbox',`
  534. gen_require(`
  535. attribute svirt_sandbox_domain;
  536. ')
  537. allow $1 svirt_sandbox_domain:process signal;
  538. ')
  539. #######################################
  540. ## <summary>
  541. ## Getattr Sandbox File systems
  542. ## </summary>
  543. ## <param name="domain">
  544. ## <summary>
  545. ## Domain allowed access.
  546. ## </summary>
  547. ## </param>
  548. #
  549. interface(`virt_getattr_sandbox_filesystem',`
  550. gen_require(`
  551. type svirt_sandbox_file_t;
  552. ')
  553. allow $1 svirt_sandbox_file_t:filesystem getattr;
  554. ')
  555. #######################################
  556. ## <summary>
  557. ## Read Sandbox Files
  558. ## </summary>
  559. ## <param name="domain">
  560. ## <summary>
  561. ## Domain allowed access.
  562. ## </summary>
  563. ## </param>
  564. #
  565. interface(`virt_read_sandbox_files',`
  566. gen_require(`
  567. type svirt_sandbox_file_t;
  568. ')
  569. list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
  570. read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
  571. read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
  572. ')
  573. #######################################
  574. ## <summary>
  575. ## Read the process state of spc containers
  576. ## </summary>
  577. ## <param name="domain">
  578. ## <summary>
  579. ## Domain allowed access.
  580. ## </summary>
  581. ## </param>
  582. #
  583. interface(`docker_spc_read_state',`
  584. gen_require(`
  585. type spc_t;
  586. ')
  587. ps_process_pattern($1, spc_t)
  588. ')