Skip to content

selinux: Add CDI access, Wayland interface and labeling, and tunable dockerd integration#358

Open
kemalrasimsh wants to merge 5 commits into
qualcomm-linux:mainfrom
kemalrasimsh:SELinux
Open

selinux: Add CDI access, Wayland interface and labeling, and tunable dockerd integration#358
kemalrasimsh wants to merge 5 commits into
qualcomm-linux:mainfrom
kemalrasimsh:SELinux

Conversation

@kemalrasimsh

Copy link
Copy Markdown

Enhance SELinux policy to improve support for container runtimes and Wayland-based systems across a variety of configurations.

Allow container runtimes to access /etc/cdi so that Container Device Interface (CDI) configuration files can be loaded correctly. Without this access, runtimes such as containerd may fail with permission errors when attempting to monitor or read CDI specifications.

Introduce a new interface, wayland_stream_connect(), which allows domains to connect to a Wayland compositor via UNIX stream sockets. The interface grants permissions to search user runtime directories and establish connections to sockets labeled with wayland_runtime_t, enabling confined domains such as container runtimes or applications to communicate with the Wayland display server.

Extend Wayland socket labeling by adding a file context rule for /run/wayland-*, ensuring sockets created directly under /run are labeled as wayland_runtime_t. This addresses systems where Wayland operates outside of per-user runtime directories, providing consistent behavior across embedded and single-user environments.

Introduce a new tunable, dockerd_connect_user_services (default: off), to control whether the Docker daemon (dockerd_t) may connect to user session services. When enabled, the policy allows dockerd to use:

pulseaudio_stream_connect(dockerd_t)
wayland_stream_connect(dockerd_t)

These permissions enable container workloads to access host audio and graphical services via PulseAudio and Wayland sockets located under /run/user/$UID.

The docker-related permissions are gated using tunable_policy() and wrapped in optional_policy() blocks to ensure they are only applied when the corresponding policy modules are available.

Together, these changes improve compatibility with CDI-enabled containers and containerized desktop workloads while maintaining secure-by-default behavior and modular policy design.

@lumag Dmitry Baryshkov (lumag) left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are CDI and Wayland related? Please split to separate commits. Each commit should always present a single atomic feature.

@kemalrasimsh

Copy link
Copy Markdown
Author

These changes consist entirely of SEPolicy rules located under the dynamic-layers/selinux/ directory. Would you prefer that I split them into multiple, smaller changes for clarity and reviewability? If we take that approach, please note that once they are merged upstream, any future reverts would also need to be handled on a per-change basis.

@lumag

Copy link
Copy Markdown
Contributor

kemalrasimsh yes

@ricardosalveti

Copy link
Copy Markdown
Contributor

These changes consist entirely of SEPolicy rules located under the dynamic-layers/selinux/ directory. Would you prefer that I split them into multiple, smaller changes for clarity and reviewability? If we take that approach, please note that once they are merged upstream, any future reverts would also need to be handled on a per-change basis.

That's fine, we can revert all commits in a single PR. Isolating the patches per commit helps the reviewers to better understand the context of the change.

Comment thread conf/layer.conf
@kemalrasimsh kemalrasimsh force-pushed the SELinux branch 2 times, most recently from d18c6ec to af49098 Compare July 1, 2026 13:49
@kemalrasimsh

Copy link
Copy Markdown
Author

Should also address issue: #381

Kemal Rasim Sh added 5 commits July 1, 2026 17:40
SELinux dynamic layer recipes are not being included,
causing SELinux-related .bb and .bbappend files to be ignored during builds.
Add pattern entries to include these files and ensure the relevant recipes are picked up.

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Container runtimes cannot access /etc/cdi,
leading to permission errors when loading CDI configuration files.
Allow container runtimes to access this directory so CDI specifications
can be read and monitored correctly.

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Wayland clients cannot connect to the compositor in certain setups due
to missing permissions and incomplete socket labeling. Introduce the
wayland_stream_connect() interface to allow domains to connect via UNIX
stream sockets, and extend file context rules to label /run/wayland-*
as wayland_runtime_t to ensure consistent access across environments.

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Docker daemon lacks controlled access to user session services,
preventing container workloads from using host audio and graphical interfaces.
Introduce the dockerd_connect_user_services tunable (default off) to optionally
allow dockerd_t to connect to PulseAudio and Wayland via existing interfaces,
with access gated through tunables and optional_policy
to preserve secure and modular behavior.

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Docker cannot access designated home subdirectories,
limiting container workloads that rely on user-provided data.
Define the docker_home_t type and label specific directories
(media, models, labels, configs) accordingly, and introduce
the docker_home_access interface to allow controlled access.

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>

@lumag Dmitry Baryshkov (lumag) left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants