[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] We are working on Roles Based Access Control for docker.

From: Stef Walter <stefw redhat com>
To: Pavel Odvody <podvody redhat com>, Colin Walters <walters verbum org>
Cc: atomic-devel projectatomic io
Subject: Re: [atomic-devel] We are working on Roles Based Access Control for docker.
Date: Thu, 02 Apr 2015 10:42:59 +0200

On 01.04.2015 10:34, Pavel Odvody wrote:
> On Tue, 2015-03-31 at 17:02 -0400, Colin Walters wrote:
>> On Tue, Mar 31, 2015, at 04:35 AM, Pavel Odvody wrote:
>>
>>> It's supposed to work in the following way:
>>> - docker daemon is started with the --trusted flag, this labels the
>>> process as SELinux type 'docker_daemon_t', daemon also labels the
>>> created Unix socket as 'docker_socket_t'. Define a policy that allows
>>> only docker_daemon_t to talk to docker_socket_t. This ensures that the
>>> daemon communicates only with compatible binary; other methods of
>>> communication with the daemon have to be disabled (TCP).
>>
>> But what domains can transition to docker_daemon_t ? Is e.g. unconfined_t -> docker_daemon_t a valid transition?  If so, we aren't gaining anything AFAICS.  If it's not, what domains can?
>>
> 
> The docker binary is originally labeled as docker_client_t, which is
> also capable of talking to docker_socket_t.

The docker binary is far from the only thing that talks to the docker
socket. Hundreds of pieces of software speak the docker API directly to
the socket, including ... you guessed it ... Cockpit.

Stef

References:
- Re: [atomic-devel] We are working on Roles Based Access Control for docker.
  - From: Pavel Odvody

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]