When running the docker daemon with `--selinux-enabled`, access to the docker
socket is prevented by SELinux. To access the socket, the container must be
started with `--privileged`, with SELinux disabled (`--security-opt label=disable`),
or with (e.g.) `--security-opt label=type:container_runtime_t`, which gives
it access to files restricted to the runtime ( `dockerd` daemon) itself.
While having access to the docker socket grants full `root` permissions on
the host (e.g. through starting a privileged container using the socket),
it may be preferable to restrict the container to just the socket.
This patch adds a `docker_client.process` SELinux CIL policy module that
defines a container domain (process type). It inherits the base container
template and grants the permissions needed to use the docker socket.
Without this (and the daemon running with `--selinux-enabled`);
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock docker:cli -H unix:///var/run/docker.sock version
Client:
Version: 28.4.0
API version: 1.51
Go version: go1.24.7
Git commit: d8eb465
Built: Wed Sep 3 20:56:28 2025
OS/Arch: linux/amd64
Context: default
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version": dial unix /var/run/docker.sock: connect: permission denied
With this:
semodule -i /usr/share/udica/templates/base_container.cil
semodule -i ./contrib/selinux/docker_client.cil
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock --security-opt label=type:docker_client.process docker:cli -H unix:///var/run/docker.sock version
Client:
Version: 28.4.0
API version: 1.51
Go version: go1.24.7
Git commit: d8eb465
Built: Wed Sep 3 20:56:28 2025
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 28.4.0
API version: 1.51 (minimum version 1.24)
Go version: go1.24.7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
RH now provides `container-selinux` which provides everything we need
for docker's selinux policy. Rely on `container-selinux` where
available, and `docker-engine-selinux` when not.
This still builds the `docker-engine-selinux` package and presumably
makes it available, but is no longer a requirement in the
`docker-engine` package preferring `container-selinux` instead.
`container-selinux` is available on fedora24, however the version that
is available does not set the correct types on the `dockerd` binary. We
can use `container-selinux` and just supplement that with some of our
own policy, but for now just keep using `docker-engine-selinux` as is.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The base selinux policies on centos/rhel/oraclelinux have all been
updated in a way that conflicts with the policies we install with
`docker-engine-selinux`. This patch fixes these conflicts.
In addition, removes special cases for old/unsupported versions of
fedora in our selinux package, and change to use a single minimum
version for the selinux base policy package, as this is the minimum
version required to use our selinux policy package.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This adds the ability to have different profiles for individual distros
and versions of the distro because they all ship with and depend on
different versions of policy packages.
The `selinux` dir contains the unmodified policy that is being used
today. The `selinux-fedora` dir contains the new policy for fedora 24
with the changes for it to compile and work on the system.
The fedora policy is from commit
4a6ce94da5
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
