From fc7cc1cc75b68005ad161dad53d696696b5c5f9f Mon Sep 17 00:00:00 2001 From: Thomas Tanaka Date: Thu, 2 Mar 2017 13:59:05 -0800 Subject: [PATCH] Update oracle linux selinux to match docker upstream Add a dependency on specific selinux version for OL on docker-engine.spec Signed-off-by: Thomas Tanaka --- .../docker-engine-selinux/LICENSE | 25 +- .../docker-engine-selinux/Makefile | 7 - .../docker-engine-selinux/docker.fc | 17 +- .../docker-engine-selinux/docker.if | 300 +++--------------- .../docker-engine-selinux/docker.te | 158 +++------ .../docker-engine-selinux/docker_selinux.8.gz | Bin 0 -> 2847 bytes .../.build-rpm/docker-engine-selinux.spec | 3 + hack/make/.build-rpm/docker-engine.spec | 7 +- 8 files changed, 123 insertions(+), 394 deletions(-) create mode 100644 contrib/selinux-oraclelinux-7/docker-engine-selinux/docker_selinux.8.gz diff --git a/contrib/selinux-oraclelinux-7/docker-engine-selinux/LICENSE b/contrib/selinux-oraclelinux-7/docker-engine-selinux/LICENSE index d511905c16..5b6e7c66c2 100644 --- a/contrib/selinux-oraclelinux-7/docker-engine-selinux/LICENSE +++ b/contrib/selinux-oraclelinux-7/docker-engine-selinux/LICENSE @@ -1,8 +1,8 @@ GNU GENERAL PUBLIC LICENSE Version 2, June 1991 - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to +the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not @@ -55,7 +55,7 @@ patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. - + GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION @@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions: License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) - + These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in @@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. - + 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is @@ -225,7 +225,7 @@ impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. - + 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License @@ -278,7 +278,7 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS - + How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest @@ -303,9 +303,10 @@ the "copyright" line and a pointer to where the full notice is found. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Also add information on how to contact you by electronic and paper mail. @@ -335,5 +336,5 @@ necessary. Here is a sample; alter the names: This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General +library. If this is what you want to do, use the GNU Library General Public License instead of this License. diff --git a/contrib/selinux-oraclelinux-7/docker-engine-selinux/Makefile b/contrib/selinux-oraclelinux-7/docker-engine-selinux/Makefile index 16df33ef32..1bdc695afe 100644 --- a/contrib/selinux-oraclelinux-7/docker-engine-selinux/Makefile +++ b/contrib/selinux-oraclelinux-7/docker-engine-selinux/Makefile @@ -14,10 +14,3 @@ all: ${TARGETS:=.pp.bz2} clean: rm -f *~ *.tc *.pp *.pp.bz2 rm -rf tmp *.tar.gz - -man: install - sepolicy manpage --domain ${TARGETS}_t - -install: - semodule -i ${TARGETS} - diff --git a/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.fc b/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.fc index 10b7d52a8b..467d659604 100644 --- a/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.fc +++ b/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.fc @@ -1,33 +1,18 @@ /root/\.docker gen_context(system_u:object_r:docker_home_t,s0) -/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) -/usr/bin/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0) -/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0) +/usr/bin/dockerd -- gen_context(system_u:object_r:docker_exec_t,s0) /usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) -/usr/lib/systemd/system/docker-novolume-plugin.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) /etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0) /var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) -/var/lib/kublet(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0) -/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) -/var/run/docker(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0) /var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) /var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) /var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0) -/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:docker_plugin_var_run_t,s0) - -/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0) - -/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) /var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0) /var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0) /var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0) /var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) - -# OL7.2 systemd selinux update -/var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) -/var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0) diff --git a/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.if b/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.if index 4780af05f7..ca075c05c5 100644 --- a/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.if +++ b/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.if @@ -112,28 +112,7 @@ interface(`docker_read_share_files',` ') files_search_var_lib($1) - list_dirs_pattern($1, docker_share_t, docker_share_t) read_files_pattern($1, docker_share_t, docker_share_t) - read_lnk_files_pattern($1, docker_share_t, docker_share_t) -') - -###################################### -## -## Allow the specified domain to execute docker shared files -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`docker_exec_share_files',` - gen_require(` - type docker_share_t; - ') - - can_exec($1, docker_share_t) ') ######################################## @@ -305,7 +284,7 @@ interface(`docker_filetrans_named_content',` gen_require(` type docker_var_lib_t; type docker_share_t; - type docker_log_t; + type docker_log_t; type docker_var_run_t; type docker_home_t; ') @@ -313,7 +292,6 @@ interface(`docker_filetrans_named_content',` files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") files_pid_filetrans($1, docker_var_run_t, dir, "docker-client") - logging_log_filetrans($1, docker_log_t, dir, "lxc") files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") @@ -362,6 +340,7 @@ interface(`docker_spc_stream_connect',` allow $1 spc_t:unix_stream_socket connectto; ') + ######################################## ## ## All of the rules required to administrate @@ -410,250 +389,73 @@ interface(`docker_admin',` ') ') -######################################## -## -## Execute docker_auth_exec_t in the docker_auth domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`docker_auth_domtrans',` +interface(`domain_stub_named_filetrans_domain',` + gen_require(` + attribute named_filetrans_domain; + ') +') + +interface(`lvm_stub',` + gen_require(` + type lvm_t; + ') +') +interface(`staff_stub',` + gen_require(` + type staff_t; + ') +') +interface(`virt_stub_svirt_sandbox_domain',` gen_require(` - type docker_auth_t, docker_auth_exec_t; + attribute svirt_sandbox_domain; + ') +') +interface(`virt_stub_svirt_sandbox_file',` + gen_require(` + type svirt_sandbox_file_t; + ') +') +interface(`fs_dontaudit_remount_tmpfs',` + gen_require(` + type tmpfs_t; ') - corecmd_search_bin($1) - domtrans_pattern($1, docker_auth_exec_t, docker_auth_t) + dontaudit $1 tmpfs_t:filesystem remount; ') - -###################################### -## -## Execute docker_auth in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`docker_auth_exec',` +interface(`dev_dontaudit_list_all_dev_nodes',` gen_require(` - type docker_auth_exec_t; + type device_t; ') - corecmd_search_bin($1) - can_exec($1, docker_auth_exec_t) + dontaudit $1 device_t:dir list_dir_perms; ') - -######################################## -## -## Connect to docker_auth over a unix stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`docker_auth_stream_connect',` +interface(`kernel_unlabeled_entry_type',` gen_require(` - type docker_auth_t, docker_plugin_var_run_t; + type unlabeled_t; ') - files_search_pids($1) - stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t) + domain_entry_file($1, unlabeled_t) ') - -######################################## -## -## docker domain typebounds calling domain. -## -## -## -## Domain to be typebound. -## -## -# -interface(`docker_typebounds',` +interface(`kernel_unlabeled_domtrans',` gen_require(` - type docker_t; + type unlabeled_t; ') - typebounds docker_t $1; + read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) + domain_transition_pattern($1, unlabeled_t, $2) + type_transition $1 unlabeled_t:process $2; ') - -######################################## -## -## Allow any docker_exec_t to be an entrypoint of this domain -## -## -## -## Domain allowed access. -## -## -## -# -interface(`docker_entrypoint',` +interface(`files_write_all_pid_sockets',` gen_require(` - type docker_exec_t; + attribute pidfile; ') - allow $1 docker_exec_t:file entrypoint; + + allow $1 pidfile:sock_file write_sock_file_perms; ') +interface(`dev_dontaudit_mounton_sysfs',` + gen_require(` + type sysfs_t; + ') -######################################## -## -## Send and receive messages from -## systemd machined over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`systemd_dbus_chat_machined',` - gen_require(` - type systemd_machined_t; - class dbus send_msg; - ') - - allow $1 systemd_machined_t:dbus send_msg; - allow systemd_machined_t $1:dbus send_msg; - ps_process_pattern(systemd_machined_t, $1) + dontaudit $1 sysfs_t:dir mounton; ') - -######################################## -## -## Allow any svirt_sandbox_file_t to be an entrypoint of this domain -## -## -## -## Domain allowed access. -## -## -## -# -interface(`virt_sandbox_entrypoint',` - gen_require(` - type svirt_sandbox_file_t; - ') - allow $1 svirt_sandbox_file_t:file entrypoint; -') - -######################################## -## -## Send and receive messages from -## virt over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_dbus_chat',` - gen_require(` - type virtd_t; - class dbus send_msg; - ') - - allow $1 virtd_t:dbus send_msg; - allow virtd_t $1:dbus send_msg; - ps_process_pattern(virtd_t, $1) -') - -####################################### -## -## Read the process state of virt sandbox containers -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_sandbox_read_state',` - gen_require(` - attribute svirt_sandbox_domain; - ') - - ps_process_pattern($1, svirt_sandbox_domain) -') - -###################################### -## -## Send a signal to sandbox domains -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_signal_sandbox',` - gen_require(` - attribute svirt_sandbox_domain; - ') - - allow $1 svirt_sandbox_domain:process signal; -') - -####################################### -## -## Getattr Sandbox File systems -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_getattr_sandbox_filesystem',` - gen_require(` - type svirt_sandbox_file_t; - ') - - allow $1 svirt_sandbox_file_t:filesystem getattr; -') - -####################################### -## -## Read Sandbox Files -## -## -## -## Domain allowed access. -## -## -# -interface(`virt_read_sandbox_files',` - gen_require(` - type svirt_sandbox_file_t; - ') - - list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) - read_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) - read_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) -') - -####################################### -## -## Read the process state of spc containers -## -## -## -## Domain allowed access. -## -## -# -interface(`docker_spc_read_state',` - gen_require(` - type spc_t; - ') - - ps_process_pattern($1, spc_t) -') - diff --git a/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.te b/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.te index d4de36fe46..bad0bb6e4c 100644 --- a/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.te +++ b/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker.te @@ -23,10 +23,6 @@ type spc_t; domain_type(spc_t) role system_r types spc_t; -type docker_auth_t; -type docker_auth_exec_t; -init_daemon_domain(docker_auth_t, docker_auth_exec_t) - type spc_var_run_t; files_pid_file(spc_var_run_t) @@ -54,9 +50,6 @@ files_tmpfs_file(docker_tmpfs_t) type docker_var_run_t; files_pid_file(docker_var_run_t) -type docker_plugin_var_run_t; -files_pid_file(docker_plugin_var_run_t) - type docker_unit_file_t; systemd_unit_file(docker_unit_file_t) @@ -66,20 +59,6 @@ term_pty(docker_devpts_t) type docker_share_t; files_type(docker_share_t) -# OL7 systemd selinux update -type systemd_machined_t; -type systemd_machined_exec_t; -init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) - -# /run/systemd/machines -type systemd_machined_var_run_t; -files_pid_file(systemd_machined_var_run_t) - -# /var/lib/machines -type systemd_machined_var_lib_t; -files_type(systemd_machined_var_lib_t) - - ######################################## # # docker local policy @@ -93,8 +72,6 @@ allow docker_t self:tcp_socket create_stream_socket_perms; allow docker_t self:udp_socket create_socket_perms; allow docker_t self:capability2 block_suspend; -docker_auth_stream_connect(docker_t) - manage_files_pattern(docker_t, docker_home_t, docker_home_t) manage_dirs_pattern(docker_t, docker_home_t, docker_home_t) manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t) @@ -106,7 +83,6 @@ files_etc_filetrans(docker_t, docker_config_t, dir, "docker") manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) manage_files_pattern(docker_t, docker_lock_t, docker_lock_t) -files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc") manage_dirs_pattern(docker_t, docker_log_t, docker_log_t) manage_files_pattern(docker_t, docker_log_t, docker_log_t) @@ -229,10 +205,6 @@ optional_policy(` openvswitch_stream_connect(docker_t) ') -# -# lxc rules -# - allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace }; allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms }; @@ -314,7 +286,6 @@ optional_policy(` optional_policy(` systemd_dbus_chat_logind(docker_t) - systemd_dbus_chat_machined(docker_t) ') optional_policy(` @@ -326,11 +297,6 @@ optional_policy(` udev_read_db(docker_t) ') -optional_policy(` - unconfined_domain(docker_t) - # unconfined_typebounds(docker_t) -') - optional_policy(` virt_read_config(docker_t) virt_exec(docker_t) @@ -339,12 +305,10 @@ optional_policy(` virt_exec_sandbox_files(docker_t) virt_manage_sandbox_files(docker_t) virt_relabel_sandbox_filesystem(docker_t) - # for lxc virt_transition_svirt_sandbox(docker_t, system_r) virt_mounton_sandbox_file(docker_t) # virt_attach_sandbox_tun_iface(docker_t) allow docker_t svirt_sandbox_domain:tun_socket relabelfrom; - virt_sandbox_entrypoint(docker_t) ') tunable_policy(`docker_connect_any',` @@ -357,19 +321,17 @@ tunable_policy(`docker_connect_any',` # # spc local policy # -allow spc_t { docker_var_lib_t docker_share_t }:file entrypoint; +domain_entry_file(spc_t, docker_share_t) +domain_entry_file(spc_t, docker_var_lib_t) role system_r types spc_t; +domain_entry_file(spc_t, docker_share_t) +domain_entry_file(spc_t, docker_var_lib_t) domtrans_pattern(docker_t, docker_share_t, spc_t) domtrans_pattern(docker_t, docker_var_lib_t, spc_t) allow docker_t spc_t:process { setsched signal_perms }; ps_process_pattern(docker_t, spc_t) allow docker_t spc_t:socket_class_set { relabelto relabelfrom }; -filetrans_pattern(docker_t, docker_var_lib_t, docker_share_t, dir, "overlay") - -optional_policy(` - systemd_dbus_chat_machined(spc_t) -') optional_policy(` dbus_chat_system_bus(spc_t) @@ -379,87 +341,67 @@ optional_policy(` unconfined_domain_noaudit(spc_t) ') +optional_policy(` + unconfined_domain(docker_t) +') + optional_policy(` virt_transition_svirt_sandbox(spc_t, system_r) - virt_sandbox_entrypoint(spc_t) ') ######################################## # -# docker_auth local policy +# docker upstream policy # -allow docker_auth_t self:fifo_file rw_fifo_file_perms; -allow docker_auth_t self:unix_stream_socket create_stream_socket_perms; -dontaudit docker_auth_t self:capability net_admin; - -docker_stream_connect(docker_auth_t) - -manage_dirs_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t) -manage_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t) -manage_sock_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t) -manage_lnk_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t) -files_pid_filetrans(docker_auth_t, docker_plugin_var_run_t, { dir file lnk_file sock_file }) - -domain_use_interactive_fds(docker_auth_t) - -kernel_read_net_sysctls(docker_auth_t) - -auth_use_nsswitch(docker_auth_t) - -files_read_etc_files(docker_auth_t) - -miscfiles_read_localization(docker_auth_t) - -sysnet_dns_name_resolve(docker_auth_t) - -######################################## -# -# OL7.2 systemd selinux update -# systemd_machined local policy -# -allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace }; -allow systemd_machined_t systemd_unit_file_t:service { status start }; -allow systemd_machined_t self:unix_dgram_socket create_socket_perms; - -manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) -manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) -manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) -init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines") - -manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) -manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) -manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) -init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines") - -kernel_dgram_send(systemd_machined_t) -# This is a bug, but need for now. -kernel_read_unlabeled_state(systemd_machined_t) - -init_dbus_chat(systemd_machined_t) -init_status(systemd_machined_t) - -userdom_dbus_send_all_users(systemd_machined_t) - -term_use_ptmx(systemd_machined_t) optional_policy(` - dbus_connect_system_bus(systemd_machined_t) - dbus_system_bus_client(systemd_machined_t) +# domain_stub_named_filetrans_domain() + gen_require(` + attribute named_filetrans_domain; + ') + + docker_filetrans_named_content(named_filetrans_domain) ') optional_policy(` - docker_read_share_files(systemd_machined_t) - docker_spc_read_state(systemd_machined_t) + lvm_stub() + docker_rw_sem(lvm_t) ') optional_policy(` - virt_dbus_chat(systemd_machined_t) - virt_sandbox_read_state(systemd_machined_t) - virt_signal_sandbox(systemd_machined_t) - virt_stream_connect_sandbox(systemd_machined_t) - virt_rw_svirt_dev(systemd_machined_t) - virt_getattr_sandbox_filesystem(systemd_machined_t) - virt_read_sandbox_files(systemd_machined_t) + staff_stub() + docker_stream_connect(staff_t) + docker_exec(staff_t) ') +optional_policy(` + virt_stub_svirt_sandbox_domain() + virt_stub_svirt_sandbox_file() + allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms; + docker_read_share_files(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) + docker_use_ptys(svirt_sandbox_domain) + docker_spc_stream_connect(svirt_sandbox_domain) + fs_list_tmpfs(svirt_sandbox_domain) + fs_rw_hugetlbfs_files(svirt_sandbox_domain) + fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) + dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) + tunable_policy(`virt_sandbox_use_fusefs',` + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) + ') + gen_require(` + attribute domain; + ') + + dontaudit svirt_sandbox_domain domain:key {search link}; +') + +optional_policy(` + gen_require(` + type pcp_pmcd_t; + ') + docker_manage_lib_files(pcp_pmcd_t) +') diff --git a/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker_selinux.8.gz b/contrib/selinux-oraclelinux-7/docker-engine-selinux/docker_selinux.8.gz new file mode 100644 index 0000000000000000000000000000000000000000..ab5d59445ac1601ca378aaa3e71fb9cff43a1592 GIT binary patch literal 2847 zcmV+)3*hu0iwFo7v)okz17vSwYh`j@b7gF4ZgqGrH~__3TaVke5`I4V6@*`!6l=S| zL4lsU6wa>G7)ZQ6Yo}<61q526ZDJ)-B`NQ^I6wZ(@S=+?ue_UwK6D$4GsAB#9L|h1 zT74p9kjmtNshEi^7cAB+)14KO+rU$c!fk;-5#O zmV?vz9JoRUq(p7=UrB&Q;!Mydm$39gew3ZrB;ilS8)GkXHjhLJ~Z zb`9~dA;BW%P_PmCCQFh~L6RLy9thu%13cK#JwqnV8WL401Q%PfK6v5y10~;YJ{0bIQB&IB4h8PX!L;;nhe>W6UN2*vY){HP=m;wW%^*n~)VL%-lM6=;wQLDcf$Tqah4DzZ&A-OQ5 zpk}9!d<;9LGN)V+s;qrrJQSwpk3}bnLm)E<+bWW&HyOZUN+Z8! zrYvwTu1*6Pt*!k*0iAMYb~43Bh141ajx6w1(;G*YMQ=Hqr`EP^4~)I(9~ggC#Eqs? zD{L+egeI(L1_4dCa15BrIqU}t4{6QdV-7S)QIVWJI5#x+uY;!+G9tCH0HBZ%Sxi)C z8$>lWY$jj8Y28@j&axe-pr4r%%d53zgn1bWHS|f79H5xC)H0jgI zs0uU)bj^^I3>RHe-bFS9yYM?pRYwLc4Vmq2q_6juX;@({ab1JGR{4 zfw)WDORWuVA|@%o>a>8w)TaS@706>x{ypfAMZF9;#_*bFSi{*fL({Pf9G43qVP2w% zIefPU=Gn9DQa}6`GQB;xg;6xIw?0G;TbJ9dJ-0w6?P0F2$a6Y?)YuAX#LrY*3cta9 znbBSK62e9L9P1w1f-7Y@QM`a6_IzSR@_3V?)m{U-#s5;+q3R`&mIcd5CTWU?x6D`% zV8;+6L+lw|cO#sY_EKF!`4838h8Nl%`!hOJ>#s0)&D)<2@%Y(r-jGtktqviMNwER^ z48UzB*EEZ@e$}nh;O;eIRpUakf#QQ=iR`XhC_rrG0lrx?CC@<(%RcL-uQ2I}h+fpL z9caOv&z5Hp3f=+ka%(o(UvEx4okAy2e(WgrYB{7zbvTC@2yGVCyZlv@2@b z=9Ay1H{|2&^EC99RZZMk!DF%LI|5gCWOU6CMOBv8JxJALYABUav}-9d4&F+u4l=Z! zt$tIpHaGSo&AtLQ{yMwy<-K68`LOBhW^!G%4q$9F$y%XFlC6?ufnD{##t<;$jUKy4 zmY|~YRRVg>(K3^a{nIz&(T{I`?WEsR6=!_ySm4JPevFGmrwyKZ;Z$C|CJP8Jt~=KX zH>2s6DdEf(n*uUl@{rz-3Z5RXd1H00sjUle)ye1-ZW8H-mPzWaX2Z92 z2)V}{CiL_>nKMVNq%`CEQ5d3}lA>0PK!ac7>?t`f8d{Df`Sy8gn~~aa>{ftd?6kTc zF|j|25>LYg?~WqBj^i1)>7ay0aXYDvzLZeVoOJ<)sByEhPdb$d6PF5P+?nTA#c=PA@scfsdyQ}Y5_8NS&t1%dCZ80_lCjU~9q zjg5~^n4io*sRMUjw&e-&PXRHliX zY20}XrJnZnS;I@=y@9J_Lt)mmQkSDND_Fue2MBz)TLn7JCJNW?r(tTxn%2Mxv7ZB5 zT8-6m%Jsu2I&X4wlF-Qy)}Z;JzP3%3&VP8`3&%{68=F@ZwA>hn8)wGbGNbs`rvOw+Ii6L#f+~(-Xebl9tVa4Q=RZL4J-Fm?7Us&zIL%JG!WlDgL{mh6HshYGQfieib=4EQndS1#f<%XMS1_3R~RknrMThpB*A zCYMWHDccRA1lxy7yBA1<_@xnpti)d@-AL;Gr58s<`kYA`A6_^qr^Q>}F{(R=iy*ms z_mz-vzy~*6=s#M}x=+}dR_%&(wP_tsZHrdF6ek~>)suhy9Ri#~Hp*p+-+449V#y8* z2Vd{B>(20^n+gC1%*l?5Ejz8!n$?sqc{{6|sNQ9TW$Yu)$1I|Q6&gyDs=UJFgs-`Q z0ehv#<~$8HY8O8d4mOJ-J2c8J|4Myuef#ALRG`bj8C+l}nrYeoSfF~{9fp7{rG2HY zM<;c3{cS*>;P9>+Vg|o4pzX0HSg7$y!pS!7-9zUVZUj6|-4GUXvo>%SjTOt~zIt=- z-(4J4q<(_iha62Dz7?pde3zq!?w%O>PqiXYgOcCA&On092;Ebjh1w>3&(N6b`qqva z_kj(bC9a^$msVm=VkX>UOUv6-Ye@!LXc8$>j6$ xb`W`pZ+>}u< %global selinux_policyver 3.13.1-102 +%if 0%{?oraclelinux} >= 7 +%global selinux_policyver 3.13.1-102.0.3.el7_3.15 +%endif # oraclelinux 7 %global selinuxtype targeted %global moduletype services %global modulenames docker diff --git a/hack/make/.build-rpm/docker-engine.spec b/hack/make/.build-rpm/docker-engine.spec index 99a7db62e3..a31c1bd7f2 100644 --- a/hack/make/.build-rpm/docker-engine.spec +++ b/hack/make/.build-rpm/docker-engine.spec @@ -84,9 +84,12 @@ Requires: device-mapper >= 1.02.90-2 %if 0%{?fedora} >= 22 %global selinux_policyver 3.13.1-128 %endif # fedora 22 -%if 0%{?centos} >= 7 || 0%{?rhel} >= 7 || 0%{?oraclelinux} >= 7 +%if 0%{?centos} >= 7 || 0%{?rhel} >= 7 %global selinux_policyver 3.13.1-23 -%endif # centos,oraclelinux 7 +%endif # centos,rhel 7 +%if 0%{?oraclelinux} >= 7 +%global selinux_policyver 3.13.1-102.0.3.el7_3.15 +%endif # oraclelinux 7 %endif # with_selinux # RE: rhbz#1195804 - ensure min NVR for selinux-policy