selinux: Add CDI access, Wayland interface and labeling, and tunable dockerd integration#358
selinux: Add CDI access, Wayland interface and labeling, and tunable dockerd integration#358kemalrasimsh wants to merge 5 commits into
Conversation
Dmitry Baryshkov (lumag)
left a comment
There was a problem hiding this comment.
How are CDI and Wayland related? Please split to separate commits. Each commit should always present a single atomic feature.
|
These changes consist entirely of SEPolicy rules located under the dynamic-layers/selinux/ directory. Would you prefer that I split them into multiple, smaller changes for clarity and reviewability? If we take that approach, please note that once they are merged upstream, any future reverts would also need to be handled on a per-change basis. |
|
kemalrasimsh yes |
That's fine, we can revert all commits in a single PR. Isolating the patches per commit helps the reviewers to better understand the context of the change. |
d18c6ec to
af49098
Compare
|
Should also address issue: #381 |
SELinux dynamic layer recipes are not being included, causing SELinux-related .bb and .bbappend files to be ignored during builds. Add pattern entries to include these files and ensure the relevant recipes are picked up. Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Container runtimes cannot access /etc/cdi, leading to permission errors when loading CDI configuration files. Allow container runtimes to access this directory so CDI specifications can be read and monitored correctly. Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Wayland clients cannot connect to the compositor in certain setups due to missing permissions and incomplete socket labeling. Introduce the wayland_stream_connect() interface to allow domains to connect via UNIX stream sockets, and extend file context rules to label /run/wayland-* as wayland_runtime_t to ensure consistent access across environments. Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Docker daemon lacks controlled access to user session services, preventing container workloads from using host audio and graphical interfaces. Introduce the dockerd_connect_user_services tunable (default off) to optionally allow dockerd_t to connect to PulseAudio and Wayland via existing interfaces, with access gated through tunables and optional_policy to preserve secure and modular behavior. Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Docker cannot access designated home subdirectories, limiting container workloads that rely on user-provided data. Define the docker_home_t type and label specific directories (media, models, labels, configs) accordingly, and introduce the docker_home_access interface to allow controlled access. Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Dmitry Baryshkov (lumag)
left a comment
There was a problem hiding this comment.
Doesn't build
Enhance SELinux policy to improve support for container runtimes and Wayland-based systems across a variety of configurations.
Allow container runtimes to access /etc/cdi so that Container Device Interface (CDI) configuration files can be loaded correctly. Without this access, runtimes such as containerd may fail with permission errors when attempting to monitor or read CDI specifications.
Introduce a new interface, wayland_stream_connect(), which allows domains to connect to a Wayland compositor via UNIX stream sockets. The interface grants permissions to search user runtime directories and establish connections to sockets labeled with wayland_runtime_t, enabling confined domains such as container runtimes or applications to communicate with the Wayland display server.
Extend Wayland socket labeling by adding a file context rule for /run/wayland-*, ensuring sockets created directly under /run are labeled as wayland_runtime_t. This addresses systems where Wayland operates outside of per-user runtime directories, providing consistent behavior across embedded and single-user environments.
Introduce a new tunable, dockerd_connect_user_services (default: off), to control whether the Docker daemon (dockerd_t) may connect to user session services. When enabled, the policy allows dockerd to use:
These permissions enable container workloads to access host audio and graphical services via PulseAudio and Wayland sockets located under /run/user/$UID.
The docker-related permissions are gated using tunable_policy() and wrapped in optional_policy() blocks to ensure they are only applied when the corresponding policy modules are available.
Together, these changes improve compatibility with CDI-enabled containers and containerized desktop workloads while maintaining secure-by-default behavior and modular policy design.