moby/contrib/selinux/docker-engine-selinux/docker.if
Michael Crosby 32b1f26c51 Add selinux policy per distro
This adds the ability to have different profiles for individual distros
and versions of the distro because they all ship with and depend on
different versions of policy packages.

The `selinux` dir contains the unmodified policy that is being used
today.  The `selinux-fedora` dir contains the new policy for fedora 24
with the changes for it to compile and work on the system.

The fedora policy is from commit
4a6ce94da5

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-08-04 14:29:22 -07:00

461 lines
9.4 KiB
Text

## <summary>The open-source application container engine.</summary>
########################################
## <summary>
## Execute docker in the docker domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_domtrans',`
gen_require(`
type docker_t, docker_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, docker_exec_t, docker_t)
')
########################################
## <summary>
## Execute docker in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_exec',`
gen_require(`
type docker_exec_t;
')
corecmd_search_bin($1)
can_exec($1, docker_exec_t)
')
########################################
## <summary>
## Search docker lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_search_lib',`
gen_require(`
type docker_var_lib_t;
')
allow $1 docker_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Execute docker lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_exec_lib',`
gen_require(`
type docker_var_lib_t;
')
allow $1 docker_var_lib_t:dir search_dir_perms;
can_exec($1, docker_var_lib_t)
')
########################################
## <summary>
## Read docker lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_read_lib_files',`
gen_require(`
type docker_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
')
########################################
## <summary>
## Read docker share files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_read_share_files',`
gen_require(`
type docker_share_t;
')
files_search_var_lib($1)
read_files_pattern($1, docker_share_t, docker_share_t)
')
########################################
## <summary>
## Manage docker lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_manage_lib_files',`
gen_require(`
type docker_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
')
########################################
## <summary>
## Manage docker lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_manage_lib_dirs',`
gen_require(`
type docker_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
')
########################################
## <summary>
## Create objects in a docker var lib directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`docker_lib_filetrans',`
gen_require(`
type docker_var_lib_t;
')
filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
')
########################################
## <summary>
## Read docker PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_read_pid_files',`
gen_require(`
type docker_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, docker_var_run_t, docker_var_run_t)
')
########################################
## <summary>
## Execute docker server in the docker domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`docker_systemctl',`
gen_require(`
type docker_t;
type docker_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 docker_unit_file_t:file read_file_perms;
allow $1 docker_unit_file_t:service manage_service_perms;
ps_process_pattern($1, docker_t)
')
########################################
## <summary>
## Read and write docker shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_rw_sem',`
gen_require(`
type docker_t;
')
allow $1 docker_t:sem rw_sem_perms;
')
#######################################
## <summary>
## Read and write the docker pty type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_use_ptys',`
gen_require(`
type docker_devpts_t;
')
allow $1 docker_devpts_t:chr_file rw_term_perms;
')
#######################################
## <summary>
## Allow domain to create docker content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_filetrans_named_content',`
gen_require(`
type docker_var_lib_t;
type docker_share_t;
type docker_log_t;
type docker_var_run_t;
type docker_home_t;
')
files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
')
########################################
## <summary>
## Connect to docker over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_stream_connect',`
gen_require(`
type docker_t, docker_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
')
########################################
## <summary>
## Connect to SPC containers over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_spc_stream_connect',`
gen_require(`
type spc_t, spc_var_run_t;
')
files_search_pids($1)
files_write_all_pid_sockets($1)
allow $1 spc_t:unix_stream_socket connectto;
')
########################################
## <summary>
## All of the rules required to administrate
## an docker environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`docker_admin',`
gen_require(`
type docker_t;
type docker_var_lib_t, docker_var_run_t;
type docker_unit_file_t;
type docker_lock_t;
type docker_log_t;
type docker_config_t;
')
allow $1 docker_t:process { ptrace signal_perms };
ps_process_pattern($1, docker_t)
admin_pattern($1, docker_config_t)
files_search_var_lib($1)
admin_pattern($1, docker_var_lib_t)
files_search_pids($1)
admin_pattern($1, docker_var_run_t)
files_search_locks($1)
admin_pattern($1, docker_lock_t)
logging_search_logs($1)
admin_pattern($1, docker_log_t)
docker_systemctl($1)
admin_pattern($1, docker_unit_file_t)
allow $1 docker_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
interface(`domain_stub_named_filetrans_domain',`
gen_require(`
attribute named_filetrans_domain;
')
')
interface(`lvm_stub',`
gen_require(`
type lvm_t;
')
')
interface(`staff_stub',`
gen_require(`
type staff_t;
')
')
interface(`virt_stub_svirt_sandbox_domain',`
gen_require(`
attribute svirt_sandbox_domain;
')
')
interface(`virt_stub_svirt_sandbox_file',`
gen_require(`
type svirt_sandbox_file_t;
')
')
interface(`fs_dontaudit_remount_tmpfs',`
gen_require(`
type tmpfs_t;
')
dontaudit $1 tmpfs_t:filesystem remount;
')
interface(`dev_dontaudit_list_all_dev_nodes',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:dir list_dir_perms;
')
interface(`kernel_unlabeled_entry_type',`
gen_require(`
type unlabeled_t;
')
domain_entry_file($1, unlabeled_t)
')
interface(`kernel_unlabeled_domtrans',`
gen_require(`
type unlabeled_t;
')
read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
domain_transition_pattern($1, unlabeled_t, $2)
type_transition $1 unlabeled_t:process $2;
')
interface(`files_write_all_pid_sockets',`
gen_require(`
attribute pidfile;
')
allow $1 pidfile:sock_file write_sock_file_perms;
')
interface(`dev_dontaudit_mounton_sysfs',`
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir mounton;
')