| |
| ## <summary>The open-source application container engine.</summary> |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker in the docker domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed to transition. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_domtrans',` |
| gen_require(` |
| type docker_t, docker_exec_t; |
| ') |
| |
| corecmd_search_bin($1) |
| domtrans_pattern($1, docker_exec_t, docker_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker in the caller domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed to transition. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_exec',` |
| gen_require(` |
| type docker_exec_t; |
| ') |
| |
| corecmd_search_bin($1) |
| can_exec($1, docker_exec_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Search docker lib directories. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_search_lib',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| allow $1 docker_var_lib_t:dir search_dir_perms; |
| files_search_var_lib($1) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker lib directories. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_exec_lib',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| allow $1 docker_var_lib_t:dir search_dir_perms; |
| can_exec($1, docker_var_lib_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Read docker lib files. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_read_lib_files',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| files_search_var_lib($1) |
| read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Read docker share files. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_read_share_files',` |
| gen_require(` |
| type docker_share_t; |
| ') |
| |
| files_search_var_lib($1) |
| list_dirs_pattern($1, docker_share_t, docker_share_t) |
| read_files_pattern($1, docker_share_t, docker_share_t) |
| read_lnk_files_pattern($1, docker_share_t, docker_share_t) |
| ') |
| |
| ###################################### |
| ## <summary> |
| ## Allow the specified domain to execute apache |
| ## in the caller domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`apache_exec',` |
| gen_require(` |
| type httpd_exec_t; |
| ') |
| |
| can_exec($1, httpd_exec_t) |
| ') |
| |
| ###################################### |
| ## <summary> |
| ## Allow the specified domain to execute docker shared files |
| ## in the caller domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_exec_share_files',` |
| gen_require(` |
| type docker_share_t; |
| ') |
| |
| can_exec($1, docker_share_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Manage docker lib files. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_manage_lib_files',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| files_search_var_lib($1) |
| manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) |
| manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Manage docker lib directories. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_manage_lib_dirs',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| files_search_var_lib($1) |
| manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Create objects in a docker var lib directory |
| ## with an automatic type transition to |
| ## a specified private type. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| ## <param name="private_type"> |
| ## <summary> |
| ## The type of the object to create. |
| ## </summary> |
| ## </param> |
| ## <param name="object_class"> |
| ## <summary> |
| ## The class of the object to be created. |
| ## </summary> |
| ## </param> |
| ## <param name="name" optional="true"> |
| ## <summary> |
| ## The name of the object being created. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_lib_filetrans',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Read docker PID files. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_read_pid_files',` |
| gen_require(` |
| type docker_var_run_t; |
| ') |
| |
| files_search_pids($1) |
| read_files_pattern($1, docker_var_run_t, docker_var_run_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker server in the docker domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed to transition. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_systemctl',` |
| gen_require(` |
| type docker_t; |
| type docker_unit_file_t; |
| ') |
| |
| systemd_exec_systemctl($1) |
| init_reload_services($1) |
| systemd_read_fifo_file_passwd_run($1) |
| allow $1 docker_unit_file_t:file read_file_perms; |
| allow $1 docker_unit_file_t:service manage_service_perms; |
| |
| ps_process_pattern($1, docker_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Read and write docker shared memory. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_rw_sem',` |
| gen_require(` |
| type docker_t; |
| ') |
| |
| allow $1 docker_t:sem rw_sem_perms; |
| ') |
| |
| ####################################### |
| ## <summary> |
| ## Read and write the docker pty type. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_use_ptys',` |
| gen_require(` |
| type docker_devpts_t; |
| ') |
| |
| allow $1 docker_devpts_t:chr_file rw_term_perms; |
| ') |
| |
| ####################################### |
| ## <summary> |
| ## Allow domain to create docker content |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_filetrans_named_content',` |
| |
| gen_require(` |
| type docker_var_lib_t; |
| type docker_share_t; |
| type docker_log_t; |
| type docker_var_run_t; |
| type docker_home_t; |
| ') |
| |
| files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") |
| files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") |
| files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") |
| logging_log_filetrans($1, docker_log_t, dir, "lxc") |
| files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") |
| userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Connect to docker over a unix stream socket. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_stream_connect',` |
| gen_require(` |
| type docker_t, docker_var_run_t; |
| ') |
| |
| files_search_pids($1) |
| stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Connect to SPC containers over a unix stream socket. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_spc_stream_connect',` |
| gen_require(` |
| type spc_t, spc_var_run_t; |
| ') |
| |
| files_search_pids($1) |
| files_write_all_pid_sockets($1) |
| allow $1 spc_t:unix_stream_socket connectto; |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## All of the rules required to administrate |
| ## an docker environment |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_admin',` |
| gen_require(` |
| type docker_t; |
| type docker_var_lib_t, docker_var_run_t; |
| type docker_unit_file_t; |
| type docker_lock_t; |
| type docker_log_t; |
| type docker_config_t; |
| ') |
| |
| allow $1 docker_t:process { ptrace signal_perms }; |
| ps_process_pattern($1, docker_t) |
| |
| admin_pattern($1, docker_config_t) |
| |
| files_search_var_lib($1) |
| admin_pattern($1, docker_var_lib_t) |
| |
| files_search_pids($1) |
| admin_pattern($1, docker_var_run_t) |
| |
| files_search_locks($1) |
| admin_pattern($1, docker_lock_t) |
| |
| logging_search_logs($1) |
| admin_pattern($1, docker_log_t) |
| |
| docker_systemctl($1) |
| admin_pattern($1, docker_unit_file_t) |
| allow $1 docker_unit_file_t:service all_service_perms; |
| |
| optional_policy(` |
| systemd_passwd_agent_exec($1) |
| systemd_read_fifo_file_passwd_run($1) |
| ') |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker_auth_exec_t in the docker_auth domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed to transition. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_auth_domtrans',` |
| gen_require(` |
| type docker_auth_t, docker_auth_exec_t; |
| ') |
| |
| corecmd_search_bin($1) |
| domtrans_pattern($1, docker_auth_exec_t, docker_auth_t) |
| ') |
| |
| ###################################### |
| ## <summary> |
| ## Execute docker_auth in the caller domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_auth_exec',` |
| gen_require(` |
| type docker_auth_exec_t; |
| ') |
| |
| corecmd_search_bin($1) |
| can_exec($1, docker_auth_exec_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Connect to docker_auth over a unix stream socket. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_auth_stream_connect',` |
| gen_require(` |
| type docker_auth_t, docker_plugin_var_run_t; |
| ') |
| |
| files_search_pids($1) |
| stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## docker domain typebounds calling domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain to be typebound. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_typebounds',` |
| gen_require(` |
| type docker_t; |
| ') |
| |
| typebounds docker_t $1; |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Allow any docker_exec_t to be an entrypoint of this domain |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| ## <rolecap/> |
| # |
| interface(`docker_entrypoint',` |
| gen_require(` |
| type docker_exec_t; |
| ') |
| allow $1 docker_exec_t:file entrypoint; |
| ') |