[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Jason Zaman Sat, 29 Jan 2022 17:22:58 -0800

commit:     4c30d6c3518839622475b09cd70011ad9bb6f757
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Jan 24 22:34:27 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c30d6c3


docker: make rootlesskit optional

Avoid a potential build error and circular dependency by making
rootlesskit optional. Note that rootlesskit is still required in order
for rootless docker to function.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/docker.if | 10 +++++++---
 policy/modules/services/docker.te |  6 ++++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/docker.if 
b/policy/modules/services/docker.if
index c3ac8174..532fa441 100644
--- a/policy/modules/services/docker.if
+++ b/policy/modules/services/docker.if
@@ -178,8 +178,6 @@ template(`docker_user_role',`
        docker_run_user_daemon($3, $4)
        docker_run_user_cli($3, $4)
 
-       rootlesskit_role($1, $2, $3, $4)
-
        ifdef(`init_systemd',`
                systemd_user_daemon_domain($1, dockerd_exec_t, dockerd_user_t)
                systemd_user_send_systemd_notify($1, dockerd_user_t)
@@ -188,6 +186,10 @@ template(`docker_user_role',`
        optional_policy(`
                dbus_spec_session_bus_client($1, dockerd_user_t)
        ')
+
+       optional_policy(`
+               rootlesskit_role($1, $2, $3, $4)
+       ')
 ')
 
 ########################################
@@ -229,5 +231,7 @@ interface(`docker_signal_user_daemon',`
 interface(`docker_admin',`
        docker_run_cli($1, $2)
 
-       rootlesskit_run($1, $2)
+       optional_policy(`
+               rootlesskit_run($1, $2)
+       ')
 ')

diff --git a/policy/modules/services/docker.te 
b/policy/modules/services/docker.te
index 0e2e2e68..bb5eeb49 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -125,8 +125,6 @@ mount_exec(dockerd_user_t)
 container_setattr_container_ptys(dockerd_user_t)
 container_use_container_ptys(dockerd_user_t)
 
-rootlesskit_exec(dockerd_user_t)
-
 ifdef(`init_systemd',`
        systemd_search_user_runtime(dockerd_user_t)
        systemd_write_user_runtime_socket(dockerd_user_t)
@@ -140,6 +138,10 @@ optional_policy(`
        dbus_write_session_runtime_socket(dockerd_user_t)
 ')
 
+optional_policy(`
+       rootlesskit_exec(dockerd_user_t)
+')
+
 ########################################
 #
 # Rootless Docker CLI local policy

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Reply via email to