commit: 4c30d6c3518839622475b09cd70011ad9bb6f757 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Mon Jan 24 22:34:27 2022 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Jan 30 01:15:06 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c30d6c3
docker: make rootlesskit optional Avoid a potential build error and circular dependency by making rootlesskit optional. Note that rootlesskit is still required in order for rootless docker to function. Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/docker.if | 10 +++++++--- policy/modules/services/docker.te | 6 ++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/policy/modules/services/docker.if b/policy/modules/services/docker.if index c3ac8174..532fa441 100644 --- a/policy/modules/services/docker.if +++ b/policy/modules/services/docker.if @@ -178,8 +178,6 @@ template(`docker_user_role',` docker_run_user_daemon($3, $4) docker_run_user_cli($3, $4) - rootlesskit_role($1, $2, $3, $4) - ifdef(`init_systemd',` systemd_user_daemon_domain($1, dockerd_exec_t, dockerd_user_t) systemd_user_send_systemd_notify($1, dockerd_user_t) @@ -188,6 +186,10 @@ template(`docker_user_role',` optional_policy(` dbus_spec_session_bus_client($1, dockerd_user_t) ') + + optional_policy(` + rootlesskit_role($1, $2, $3, $4) + ') ') ######################################## @@ -229,5 +231,7 @@ interface(`docker_signal_user_daemon',` interface(`docker_admin',` docker_run_cli($1, $2) - rootlesskit_run($1, $2) + optional_policy(` + rootlesskit_run($1, $2) + ') ') diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te index 0e2e2e68..bb5eeb49 100644 --- a/policy/modules/services/docker.te +++ b/policy/modules/services/docker.te @@ -125,8 +125,6 @@ mount_exec(dockerd_user_t) container_setattr_container_ptys(dockerd_user_t) container_use_container_ptys(dockerd_user_t) -rootlesskit_exec(dockerd_user_t) - ifdef(`init_systemd',` systemd_search_user_runtime(dockerd_user_t) systemd_write_user_runtime_socket(dockerd_user_t) @@ -140,6 +138,10 @@ optional_policy(` dbus_write_session_runtime_socket(dockerd_user_t) ') +optional_policy(` + rootlesskit_exec(dockerd_user_t) +') + ######################################## # # Rootless Docker CLI local policy