rpm: Ship SELinux policy denying AF_ALG sockets#1318
Draft
vvoland wants to merge 1 commit intodocker:masterfrom
Draft
rpm: Ship SELinux policy denying AF_ALG sockets#1318vvoland wants to merge 1 commit intodocker:masterfrom
vvoland wants to merge 1 commit intodocker:masterfrom
Conversation
thaJeztah
reviewed
May 5, 2026
| ;; | ||
| ;; Requires SELinux userspace >= 3.6 for CIL deny support. | ||
| ;; Requires container-selinux for the container_domain attribute. | ||
| (deny container_domain self (alg_socket (create))) |
Member
There was a problem hiding this comment.
would we want to add this in https://github.com/moby/moby/tree/master/contrib/selinux ?
Contributor
Author
There was a problem hiding this comment.
Ah yes, that would work!
Ship a CIL policy module that denies AF_ALG socket creation for all container domains (container_t, spc_t). Like AppArmor, SELinux hooks into the kernel's security_socket_create() LSM callback, which fires regardless of whether the socket was created via socket(2) or the legacy socketcall(2) multiplexer. This blocks AF_ALG selectively without disrupting other socketcall usage by 32-bit binaries. This complements the seccomp profile change in moby, which blocks socket(AF_ALG) but cannot filter socketcall arguments. On SELinux-only systems (Fedora, RHEL, CentOS) where AppArmor is not available, this CIL module provides equivalent protection. Load the module from %post when SELinux is enabled, warning but keeping installation non-fatal if semodule cannot load it. Remove the module on uninstall. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note: This requires dockerd to be configured with
selinux-enabled: true(throughdaemon.jsonor cli flag). It is NOT enabled by defaultShip a CIL policy module that denies AF_ALG socket creation for all container domains (container_t, spc_t). Like AppArmor, SELinux hooks into the kernel's security_socket_create() LSM callback, which fires regardless of whether the socket was created via socket(2) or the legacy socketcall(2) multiplexer. This blocks AF_ALG selectively without disrupting other socketcall usage by 32-bit binaries.
This complements the seccomp profile change in moby, which blocks socket(AF_ALG) but cannot filter socketcall arguments. On SELinux-only systems (Fedora, RHEL, CentOS) where AppArmor is not available, this CIL module provides equivalent protection.
Load the module from %post when SELinux is enabled, warning but keeping installation non-fatal if semodule cannot load it. Remove the module on uninstall.
- What I did
- Description for the changelog