| |
| ## <summary>The open-source application container engine.</summary> |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker in the docker domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed to transition. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_domtrans',` |
| gen_require(` |
| type docker_t, docker_exec_t; |
| ') |
| |
| corecmd_search_bin($1) |
| domtrans_pattern($1, docker_exec_t, docker_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker in the caller domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed to transition. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_exec',` |
| gen_require(` |
| type docker_exec_t; |
| ') |
| |
| corecmd_search_bin($1) |
| can_exec($1, docker_exec_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Search docker lib directories. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_search_lib',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| allow $1 docker_var_lib_t:dir search_dir_perms; |
| files_search_var_lib($1) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker lib directories. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_exec_lib',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| allow $1 docker_var_lib_t:dir search_dir_perms; |
| can_exec($1, docker_var_lib_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Read docker lib files. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_read_lib_files',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| files_search_var_lib($1) |
| read_files_pattern($1, docker_var_lib_t, docker_var_lib_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Read docker share files. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_read_share_files',` |
| gen_require(` |
| type docker_share_t; |
| ') |
| |
| files_search_var_lib($1) |
| read_files_pattern($1, docker_share_t, docker_share_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Manage docker lib files. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_manage_lib_files',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| files_search_var_lib($1) |
| manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t) |
| manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Manage docker lib directories. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_manage_lib_dirs',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| files_search_var_lib($1) |
| manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Create objects in a docker var lib directory |
| ## with an automatic type transition to |
| ## a specified private type. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| ## <param name="private_type"> |
| ## <summary> |
| ## The type of the object to create. |
| ## </summary> |
| ## </param> |
| ## <param name="object_class"> |
| ## <summary> |
| ## The class of the object to be created. |
| ## </summary> |
| ## </param> |
| ## <param name="name" optional="true"> |
| ## <summary> |
| ## The name of the object being created. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_lib_filetrans',` |
| gen_require(` |
| type docker_var_lib_t; |
| ') |
| |
| filetrans_pattern($1, docker_var_lib_t, $2, $3, $4) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Read docker PID files. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_read_pid_files',` |
| gen_require(` |
| type docker_var_run_t; |
| ') |
| |
| files_search_pids($1) |
| read_files_pattern($1, docker_var_run_t, docker_var_run_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Execute docker server in the docker domain. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed to transition. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_systemctl',` |
| gen_require(` |
| type docker_t; |
| type docker_unit_file_t; |
| ') |
| |
| systemd_exec_systemctl($1) |
| init_reload_services($1) |
| systemd_read_fifo_file_passwd_run($1) |
| allow $1 docker_unit_file_t:file read_file_perms; |
| allow $1 docker_unit_file_t:service manage_service_perms; |
| |
| ps_process_pattern($1, docker_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Read and write docker shared memory. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_rw_sem',` |
| gen_require(` |
| type docker_t; |
| ') |
| |
| allow $1 docker_t:sem rw_sem_perms; |
| ') |
| |
| ####################################### |
| ## <summary> |
| ## Read and write the docker pty type. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_use_ptys',` |
| gen_require(` |
| type docker_devpts_t; |
| ') |
| |
| allow $1 docker_devpts_t:chr_file rw_term_perms; |
| ') |
| |
| ####################################### |
| ## <summary> |
| ## Allow domain to create docker content |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_filetrans_named_content',` |
| |
| gen_require(` |
| type docker_var_lib_t; |
| type docker_share_t; |
| type docker_log_t; |
| type docker_var_run_t; |
| type docker_home_t; |
| ') |
| |
| files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") |
| files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") |
| files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") |
| files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf") |
| filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") |
| userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker") |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Connect to docker over a unix stream socket. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_stream_connect',` |
| gen_require(` |
| type docker_t, docker_var_run_t; |
| ') |
| |
| files_search_pids($1) |
| stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) |
| ') |
| |
| ######################################## |
| ## <summary> |
| ## Connect to SPC containers over a unix stream socket. |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_spc_stream_connect',` |
| gen_require(` |
| type spc_t, spc_var_run_t; |
| ') |
| |
| files_search_pids($1) |
| files_write_all_pid_sockets($1) |
| allow $1 spc_t:unix_stream_socket connectto; |
| ') |
| |
| |
| ######################################## |
| ## <summary> |
| ## All of the rules required to administrate |
| ## an docker environment |
| ## </summary> |
| ## <param name="domain"> |
| ## <summary> |
| ## Domain allowed access. |
| ## </summary> |
| ## </param> |
| # |
| interface(`docker_admin',` |
| gen_require(` |
| type docker_t; |
| type docker_var_lib_t, docker_var_run_t; |
| type docker_unit_file_t; |
| type docker_lock_t; |
| type docker_log_t; |
| type docker_config_t; |
| ') |
| |
| allow $1 docker_t:process { ptrace signal_perms }; |
| ps_process_pattern($1, docker_t) |
| |
| admin_pattern($1, docker_config_t) |
| |
| files_search_var_lib($1) |
| admin_pattern($1, docker_var_lib_t) |
| |
| files_search_pids($1) |
| admin_pattern($1, docker_var_run_t) |
| |
| files_search_locks($1) |
| admin_pattern($1, docker_lock_t) |
| |
| logging_search_logs($1) |
| admin_pattern($1, docker_log_t) |
| |
| docker_systemctl($1) |
| admin_pattern($1, docker_unit_file_t) |
| allow $1 docker_unit_file_t:service all_service_perms; |
| |
| optional_policy(` |
| systemd_passwd_agent_exec($1) |
| systemd_read_fifo_file_passwd_run($1) |
| ') |
| ') |
| |
| interface(`domain_stub_named_filetrans_domain',` |
| gen_require(` |
| attribute named_filetrans_domain; |
| ') |
| ') |
| |
| interface(`lvm_stub',` |
| gen_require(` |
| type lvm_t; |
| ') |
| ') |
| interface(`staff_stub',` |
| gen_require(` |
| type staff_t; |
| ') |
| ') |
| interface(`virt_stub_svirt_sandbox_domain',` |
| gen_require(` |
| attribute svirt_sandbox_domain; |
| ') |
| ') |
| interface(`virt_stub_svirt_sandbox_file',` |
| gen_require(` |
| type svirt_sandbox_file_t; |
| ') |
| ') |
| interface(`fs_dontaudit_remount_tmpfs',` |
| gen_require(` |
| type tmpfs_t; |
| ') |
| |
| dontaudit $1 tmpfs_t:filesystem remount; |
| ') |
| interface(`dev_dontaudit_list_all_dev_nodes',` |
| gen_require(` |
| type device_t; |
| ') |
| |
| dontaudit $1 device_t:dir list_dir_perms; |
| ') |
| interface(`kernel_unlabeled_entry_type',` |
| gen_require(` |
| type unlabeled_t; |
| ') |
| |
| domain_entry_file($1, unlabeled_t) |
| ') |
| interface(`kernel_unlabeled_domtrans',` |
| gen_require(` |
| type unlabeled_t; |
| ') |
| |
| read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) |
| domain_transition_pattern($1, unlabeled_t, $2) |
| type_transition $1 unlabeled_t:process $2; |
| ') |
| interface(`files_write_all_pid_sockets',` |
| gen_require(` |
| attribute pidfile; |
| ') |
| |
| allow $1 pidfile:sock_file write_sock_file_perms; |
| ') |
| interface(`dev_dontaudit_mounton_sysfs',` |
| gen_require(` |
| type sysfs_t; |
| ') |
| |
| dontaudit $1 sysfs_t:dir mounton; |
| ') |