Update oracle linux selinux to match docker upstream
Add a dependency on specific selinux version for OL on docker-engine.spec Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
This commit is contained in:
parent
3c22c7d5e9
commit
fc7cc1cc75
8 changed files with 123 additions and 394 deletions
|
@ -1,8 +1,8 @@
|
|||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
|
@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This
|
|||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Lesser General Public License instead.) You can apply it to
|
||||
the GNU Library General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
|
@ -55,7 +55,7 @@ patent must be licensed for everyone's free use or not licensed at all.
|
|||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
|
@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
|
|||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
|
@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
|
|||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
|
@ -225,7 +225,7 @@ impose that choice.
|
|||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
|
@ -278,7 +278,7 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
|||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
|
@ -303,9 +303,10 @@ the "copyright" line and a pointer to where the full notice is found.
|
|||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
|
@ -335,5 +336,5 @@ necessary. Here is a sample; alter the names:
|
|||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Lesser General
|
||||
library. If this is what you want to do, use the GNU Library General
|
||||
Public License instead of this License.
|
||||
|
|
|
@ -14,10 +14,3 @@ all: ${TARGETS:=.pp.bz2}
|
|||
clean:
|
||||
rm -f *~ *.tc *.pp *.pp.bz2
|
||||
rm -rf tmp *.tar.gz
|
||||
|
||||
man: install
|
||||
sepolicy manpage --domain ${TARGETS}_t
|
||||
|
||||
install:
|
||||
semodule -i ${TARGETS}
|
||||
|
||||
|
|
|
@ -1,33 +1,18 @@
|
|||
/root/\.docker gen_context(system_u:object_r:docker_home_t,s0)
|
||||
|
||||
/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
|
||||
/usr/bin/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0)
|
||||
/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0)
|
||||
/usr/bin/dockerd -- gen_context(system_u:object_r:docker_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/docker-novolume-plugin.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
|
||||
|
||||
/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0)
|
||||
|
||||
/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
|
||||
/var/lib/kublet(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
|
||||
/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0)
|
||||
|
||||
/var/run/docker(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
|
||||
/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
|
||||
/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
|
||||
/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
|
||||
/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:docker_plugin_var_run_t,s0)
|
||||
|
||||
/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
|
||||
|
||||
/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
|
||||
|
||||
/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
|
||||
/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
|
||||
/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
|
||||
/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
|
||||
|
||||
# OL7.2 systemd selinux update
|
||||
/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
|
||||
/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
|
||||
|
|
|
@ -112,28 +112,7 @@ interface(`docker_read_share_files',`
|
|||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
list_dirs_pattern($1, docker_share_t, docker_share_t)
|
||||
read_files_pattern($1, docker_share_t, docker_share_t)
|
||||
read_lnk_files_pattern($1, docker_share_t, docker_share_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Allow the specified domain to execute docker shared files
|
||||
## in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`docker_exec_share_files',`
|
||||
gen_require(`
|
||||
type docker_share_t;
|
||||
')
|
||||
|
||||
can_exec($1, docker_share_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -305,7 +284,7 @@ interface(`docker_filetrans_named_content',`
|
|||
gen_require(`
|
||||
type docker_var_lib_t;
|
||||
type docker_share_t;
|
||||
type docker_log_t;
|
||||
type docker_log_t;
|
||||
type docker_var_run_t;
|
||||
type docker_home_t;
|
||||
')
|
||||
|
@ -313,7 +292,6 @@ interface(`docker_filetrans_named_content',`
|
|||
files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
|
||||
files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
|
||||
files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
|
||||
logging_log_filetrans($1, docker_log_t, dir, "lxc")
|
||||
files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
|
||||
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
|
||||
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
|
||||
|
@ -362,6 +340,7 @@ interface(`docker_spc_stream_connect',`
|
|||
allow $1 spc_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
|
@ -410,250 +389,73 @@ interface(`docker_admin',`
|
|||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute docker_auth_exec_t in the docker_auth domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`docker_auth_domtrans',`
|
||||
interface(`domain_stub_named_filetrans_domain',`
|
||||
gen_require(`
|
||||
attribute named_filetrans_domain;
|
||||
')
|
||||
')
|
||||
|
||||
interface(`lvm_stub',`
|
||||
gen_require(`
|
||||
type lvm_t;
|
||||
')
|
||||
')
|
||||
interface(`staff_stub',`
|
||||
gen_require(`
|
||||
type staff_t;
|
||||
')
|
||||
')
|
||||
interface(`virt_stub_svirt_sandbox_domain',`
|
||||
gen_require(`
|
||||
type docker_auth_t, docker_auth_exec_t;
|
||||
attribute svirt_sandbox_domain;
|
||||
')
|
||||
')
|
||||
interface(`virt_stub_svirt_sandbox_file',`
|
||||
gen_require(`
|
||||
type svirt_sandbox_file_t;
|
||||
')
|
||||
')
|
||||
interface(`fs_dontaudit_remount_tmpfs',`
|
||||
gen_require(`
|
||||
type tmpfs_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
|
||||
dontaudit $1 tmpfs_t:filesystem remount;
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute docker_auth in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`docker_auth_exec',`
|
||||
interface(`dev_dontaudit_list_all_dev_nodes',`
|
||||
gen_require(`
|
||||
type docker_auth_exec_t;
|
||||
type device_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, docker_auth_exec_t)
|
||||
dontaudit $1 device_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to docker_auth over a unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`docker_auth_stream_connect',`
|
||||
interface(`kernel_unlabeled_entry_type',`
|
||||
gen_require(`
|
||||
type docker_auth_t, docker_plugin_var_run_t;
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
|
||||
domain_entry_file($1, unlabeled_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## docker domain typebounds calling domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to be typebound.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`docker_typebounds',`
|
||||
interface(`kernel_unlabeled_domtrans',`
|
||||
gen_require(`
|
||||
type docker_t;
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
typebounds docker_t $1;
|
||||
read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
|
||||
domain_transition_pattern($1, unlabeled_t, $2)
|
||||
type_transition $1 unlabeled_t:process $2;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow any docker_exec_t to be an entrypoint of this domain
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`docker_entrypoint',`
|
||||
interface(`files_write_all_pid_sockets',`
|
||||
gen_require(`
|
||||
type docker_exec_t;
|
||||
attribute pidfile;
|
||||
')
|
||||
allow $1 docker_exec_t:file entrypoint;
|
||||
|
||||
allow $1 pidfile:sock_file write_sock_file_perms;
|
||||
')
|
||||
interface(`dev_dontaudit_mounton_sysfs',`
|
||||
gen_require(`
|
||||
type sysfs_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## systemd machined over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_dbus_chat_machined',`
|
||||
gen_require(`
|
||||
type systemd_machined_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 systemd_machined_t:dbus send_msg;
|
||||
allow systemd_machined_t $1:dbus send_msg;
|
||||
ps_process_pattern(systemd_machined_t, $1)
|
||||
dontaudit $1 sysfs_t:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow any svirt_sandbox_file_t to be an entrypoint of this domain
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`virt_sandbox_entrypoint',`
|
||||
gen_require(`
|
||||
type svirt_sandbox_file_t;
|
||||
')
|
||||
allow $1 svirt_sandbox_file_t:file entrypoint;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## virt over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`virt_dbus_chat',`
|
||||
gen_require(`
|
||||
type virtd_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 virtd_t:dbus send_msg;
|
||||
allow virtd_t $1:dbus send_msg;
|
||||
ps_process_pattern(virtd_t, $1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read the process state of virt sandbox containers
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`virt_sandbox_read_state',`
|
||||
gen_require(`
|
||||
attribute svirt_sandbox_domain;
|
||||
')
|
||||
|
||||
ps_process_pattern($1, svirt_sandbox_domain)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Send a signal to sandbox domains
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`virt_signal_sandbox',`
|
||||
gen_require(`
|
||||
attribute svirt_sandbox_domain;
|
||||
')
|
||||
|
||||
allow $1 svirt_sandbox_domain:process signal;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Getattr Sandbox File systems
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`virt_getattr_sandbox_filesystem',`
|
||||
gen_require(`
|
||||
type svirt_sandbox_file_t;
|
||||
')
|
||||
|
||||
allow $1 svirt_sandbox_file_t:filesystem getattr;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read Sandbox Files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`virt_read_sandbox_files',`
|
||||
gen_require(`
|
||||
type svirt_sandbox_file_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read the process state of spc containers
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`docker_spc_read_state',`
|
||||
gen_require(`
|
||||
type spc_t;
|
||||
')
|
||||
|
||||
ps_process_pattern($1, spc_t)
|
||||
')
|
||||
|
||||
|
|
|
@ -23,10 +23,6 @@ type spc_t;
|
|||
domain_type(spc_t)
|
||||
role system_r types spc_t;
|
||||
|
||||
type docker_auth_t;
|
||||
type docker_auth_exec_t;
|
||||
init_daemon_domain(docker_auth_t, docker_auth_exec_t)
|
||||
|
||||
type spc_var_run_t;
|
||||
files_pid_file(spc_var_run_t)
|
||||
|
||||
|
@ -54,9 +50,6 @@ files_tmpfs_file(docker_tmpfs_t)
|
|||
type docker_var_run_t;
|
||||
files_pid_file(docker_var_run_t)
|
||||
|
||||
type docker_plugin_var_run_t;
|
||||
files_pid_file(docker_plugin_var_run_t)
|
||||
|
||||
type docker_unit_file_t;
|
||||
systemd_unit_file(docker_unit_file_t)
|
||||
|
||||
|
@ -66,20 +59,6 @@ term_pty(docker_devpts_t)
|
|||
type docker_share_t;
|
||||
files_type(docker_share_t)
|
||||
|
||||
# OL7 systemd selinux update
|
||||
type systemd_machined_t;
|
||||
type systemd_machined_exec_t;
|
||||
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
|
||||
|
||||
# /run/systemd/machines
|
||||
type systemd_machined_var_run_t;
|
||||
files_pid_file(systemd_machined_var_run_t)
|
||||
|
||||
# /var/lib/machines
|
||||
type systemd_machined_var_lib_t;
|
||||
files_type(systemd_machined_var_lib_t)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# docker local policy
|
||||
|
@ -93,8 +72,6 @@ allow docker_t self:tcp_socket create_stream_socket_perms;
|
|||
allow docker_t self:udp_socket create_socket_perms;
|
||||
allow docker_t self:capability2 block_suspend;
|
||||
|
||||
docker_auth_stream_connect(docker_t)
|
||||
|
||||
manage_files_pattern(docker_t, docker_home_t, docker_home_t)
|
||||
manage_dirs_pattern(docker_t, docker_home_t, docker_home_t)
|
||||
manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t)
|
||||
|
@ -106,7 +83,6 @@ files_etc_filetrans(docker_t, docker_config_t, dir, "docker")
|
|||
|
||||
manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
|
||||
manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
|
||||
files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
|
||||
|
||||
manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
|
||||
manage_files_pattern(docker_t, docker_log_t, docker_log_t)
|
||||
|
@ -229,10 +205,6 @@ optional_policy(`
|
|||
openvswitch_stream_connect(docker_t)
|
||||
')
|
||||
|
||||
#
|
||||
# lxc rules
|
||||
#
|
||||
|
||||
allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
|
||||
|
||||
allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
|
||||
|
@ -314,7 +286,6 @@ optional_policy(`
|
|||
|
||||
optional_policy(`
|
||||
systemd_dbus_chat_logind(docker_t)
|
||||
systemd_dbus_chat_machined(docker_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -326,11 +297,6 @@ optional_policy(`
|
|||
udev_read_db(docker_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(docker_t)
|
||||
# unconfined_typebounds(docker_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_read_config(docker_t)
|
||||
virt_exec(docker_t)
|
||||
|
@ -339,12 +305,10 @@ optional_policy(`
|
|||
virt_exec_sandbox_files(docker_t)
|
||||
virt_manage_sandbox_files(docker_t)
|
||||
virt_relabel_sandbox_filesystem(docker_t)
|
||||
# for lxc
|
||||
virt_transition_svirt_sandbox(docker_t, system_r)
|
||||
virt_mounton_sandbox_file(docker_t)
|
||||
# virt_attach_sandbox_tun_iface(docker_t)
|
||||
allow docker_t svirt_sandbox_domain:tun_socket relabelfrom;
|
||||
virt_sandbox_entrypoint(docker_t)
|
||||
')
|
||||
|
||||
tunable_policy(`docker_connect_any',`
|
||||
|
@ -357,19 +321,17 @@ tunable_policy(`docker_connect_any',`
|
|||
#
|
||||
# spc local policy
|
||||
#
|
||||
allow spc_t { docker_var_lib_t docker_share_t }:file entrypoint;
|
||||
domain_entry_file(spc_t, docker_share_t)
|
||||
domain_entry_file(spc_t, docker_var_lib_t)
|
||||
role system_r types spc_t;
|
||||
|
||||
domain_entry_file(spc_t, docker_share_t)
|
||||
domain_entry_file(spc_t, docker_var_lib_t)
|
||||
domtrans_pattern(docker_t, docker_share_t, spc_t)
|
||||
domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
|
||||
allow docker_t spc_t:process { setsched signal_perms };
|
||||
ps_process_pattern(docker_t, spc_t)
|
||||
allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
|
||||
filetrans_pattern(docker_t, docker_var_lib_t, docker_share_t, dir, "overlay")
|
||||
|
||||
optional_policy(`
|
||||
systemd_dbus_chat_machined(spc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_chat_system_bus(spc_t)
|
||||
|
@ -379,87 +341,67 @@ optional_policy(`
|
|||
unconfined_domain_noaudit(spc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(docker_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_transition_svirt_sandbox(spc_t, system_r)
|
||||
virt_sandbox_entrypoint(spc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# docker_auth local policy
|
||||
# docker upstream policy
|
||||
#
|
||||
allow docker_auth_t self:fifo_file rw_fifo_file_perms;
|
||||
allow docker_auth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
dontaudit docker_auth_t self:capability net_admin;
|
||||
|
||||
docker_stream_connect(docker_auth_t)
|
||||
|
||||
manage_dirs_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
|
||||
manage_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
|
||||
manage_sock_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
|
||||
manage_lnk_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
|
||||
files_pid_filetrans(docker_auth_t, docker_plugin_var_run_t, { dir file lnk_file sock_file })
|
||||
|
||||
domain_use_interactive_fds(docker_auth_t)
|
||||
|
||||
kernel_read_net_sysctls(docker_auth_t)
|
||||
|
||||
auth_use_nsswitch(docker_auth_t)
|
||||
|
||||
files_read_etc_files(docker_auth_t)
|
||||
|
||||
miscfiles_read_localization(docker_auth_t)
|
||||
|
||||
sysnet_dns_name_resolve(docker_auth_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# OL7.2 systemd selinux update
|
||||
# systemd_machined local policy
|
||||
#
|
||||
allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace };
|
||||
allow systemd_machined_t systemd_unit_file_t:service { status start };
|
||||
allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
|
||||
manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
|
||||
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
|
||||
init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines")
|
||||
|
||||
manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
|
||||
manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
|
||||
manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
|
||||
init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
|
||||
|
||||
kernel_dgram_send(systemd_machined_t)
|
||||
# This is a bug, but need for now.
|
||||
kernel_read_unlabeled_state(systemd_machined_t)
|
||||
|
||||
init_dbus_chat(systemd_machined_t)
|
||||
init_status(systemd_machined_t)
|
||||
|
||||
userdom_dbus_send_all_users(systemd_machined_t)
|
||||
|
||||
term_use_ptmx(systemd_machined_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_connect_system_bus(systemd_machined_t)
|
||||
dbus_system_bus_client(systemd_machined_t)
|
||||
# domain_stub_named_filetrans_domain()
|
||||
gen_require(`
|
||||
attribute named_filetrans_domain;
|
||||
')
|
||||
|
||||
docker_filetrans_named_content(named_filetrans_domain)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
docker_read_share_files(systemd_machined_t)
|
||||
docker_spc_read_state(systemd_machined_t)
|
||||
lvm_stub()
|
||||
docker_rw_sem(lvm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_dbus_chat(systemd_machined_t)
|
||||
virt_sandbox_read_state(systemd_machined_t)
|
||||
virt_signal_sandbox(systemd_machined_t)
|
||||
virt_stream_connect_sandbox(systemd_machined_t)
|
||||
virt_rw_svirt_dev(systemd_machined_t)
|
||||
virt_getattr_sandbox_filesystem(systemd_machined_t)
|
||||
virt_read_sandbox_files(systemd_machined_t)
|
||||
staff_stub()
|
||||
docker_stream_connect(staff_t)
|
||||
docker_exec(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_stub_svirt_sandbox_domain()
|
||||
virt_stub_svirt_sandbox_file()
|
||||
allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
docker_read_share_files(svirt_sandbox_domain)
|
||||
docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
|
||||
docker_use_ptys(svirt_sandbox_domain)
|
||||
docker_spc_stream_connect(svirt_sandbox_domain)
|
||||
fs_list_tmpfs(svirt_sandbox_domain)
|
||||
fs_rw_hugetlbfs_files(svirt_sandbox_domain)
|
||||
fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
|
||||
dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
|
||||
|
||||
tunable_policy(`virt_sandbox_use_fusefs',`
|
||||
fs_manage_fusefs_dirs(svirt_sandbox_domain)
|
||||
fs_manage_fusefs_files(svirt_sandbox_domain)
|
||||
fs_manage_fusefs_symlinks(svirt_sandbox_domain)
|
||||
')
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
')
|
||||
|
||||
dontaudit svirt_sandbox_domain domain:key {search link};
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type pcp_pmcd_t;
|
||||
')
|
||||
docker_manage_lib_files(pcp_pmcd_t)
|
||||
')
|
||||
|
|
Binary file not shown.
|
@ -14,6 +14,9 @@ Vendor: Docker
|
|||
Packager: Docker <support@docker.com>
|
||||
|
||||
%global selinux_policyver 3.13.1-102
|
||||
%if 0%{?oraclelinux} >= 7
|
||||
%global selinux_policyver 3.13.1-102.0.3.el7_3.15
|
||||
%endif # oraclelinux 7
|
||||
%global selinuxtype targeted
|
||||
%global moduletype services
|
||||
%global modulenames docker
|
||||
|
|
|
@ -84,9 +84,12 @@ Requires: device-mapper >= 1.02.90-2
|
|||
%if 0%{?fedora} >= 22
|
||||
%global selinux_policyver 3.13.1-128
|
||||
%endif # fedora 22
|
||||
%if 0%{?centos} >= 7 || 0%{?rhel} >= 7 || 0%{?oraclelinux} >= 7
|
||||
%if 0%{?centos} >= 7 || 0%{?rhel} >= 7
|
||||
%global selinux_policyver 3.13.1-23
|
||||
%endif # centos,oraclelinux 7
|
||||
%endif # centos,rhel 7
|
||||
%if 0%{?oraclelinux} >= 7
|
||||
%global selinux_policyver 3.13.1-102.0.3.el7_3.15
|
||||
%endif # oraclelinux 7
|
||||
%endif # with_selinux
|
||||
|
||||
# RE: rhbz#1195804 - ensure min NVR for selinux-policy
|
||||
|
|
Loading…
Reference in a new issue