Skip to content

docker: Allow dockerd to connect to pulseaudio and wayland sockets#1167

Open
kemalrasimsh wants to merge 1 commit into
SELinuxProject:mainfrom
kemalrasimsh:docker
Open

docker: Allow dockerd to connect to pulseaudio and wayland sockets#1167
kemalrasimsh wants to merge 1 commit into
SELinuxProject:mainfrom
kemalrasimsh:docker

Conversation

@kemalrasimsh

Copy link
Copy Markdown

Add optional policy support to allow the Docker daemon (dockerd_t) to connect to user session services over UNIX stream sockets.

This introduces:

  • pulseaudio_stream_connect(dockerd_t)
  • wayland_stream_connect(dockerd_t)

These interfaces enable dockerd to communicate with PulseAudio and Wayland compositor sockets located under /run/user/$UID, which is required for certain container workloads that need access to the host audio or graphical display.

Both permissions are wrapped in optional_policy blocks to ensure they are only enabled when the corresponding PulseAudio and Wayland policy modules are present.

This change improves compatibility with containerized desktop applications while preserving modular policy design.

@thesamesam thesamesam left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these may be a tunable candidate.

@ievlogie

Copy link
Copy Markdown

Why tunable? qimsdk docker always needs access to these 2 sockets

@thesamesam

thesamesam commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

I don't know what qimsdk docker is. I suggested a tunable because I don't think it's a given that people will want containers to be able to access these.

Please revisit your internal policy as to whether changes like this get upstreamed automatically if only your internal tooling needs it or with some very specific configuration. If it requires some specific use of Docker you rely on, please say that, and we can discuss it.

@kemalrasimsh kemalrasimsh force-pushed the docker branch 4 times, most recently from af53a3c to 41a1660 Compare June 22, 2026 15:36
@kemalrasimsh

Copy link
Copy Markdown
Author

I’ve made this both optional and tunable.

@pebenito pebenito left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wayland interface doesn't exist.

Comment thread policy/modules/services/docker.te Outdated
Comment on lines +73 to +83
optional_policy(`
tunable_policy(`dockerd_connect_user_services',`
pulseaudio_stream_connect(dockerd_t)
')
')

optional_policy(`
tunable_policy(`dockerd_connect_user_services',`
wayland_access_runtime_sock(dockerd_t)
')
')

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should move after the init_systemd block below

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@kemalrasimsh

Copy link
Copy Markdown
Author

The Wayland interface is available in the following pull request:
#1166
I'm unsure how to declare a dependency on this PR.

@pebenito

Copy link
Copy Markdown
Member

The Wayland interface is available in the following pull request: #1166 I'm unsure how to declare a dependency on this PR.

You'll need to rebase this PR.

For future reference, the wayland interface commit could have been included in this PR.

@aerusso

aerusso commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Just saw this---I'm not sure why we would want to use wayland_access_runtime_sock over wayland_client_domain. Generically, I would think that we should get wayland_client working better if for some reason it's inadequate and/or narrow its permissions if they are too broad.

@kemalrasimsh

Copy link
Copy Markdown
Author

You're right that wayland_client_domain() should be the primary mechanism, and I'm not trying to replace it.

The issue I ran into is that wayland_client_domain() only assigns the wayland_client attribute, but it doesn't grant access to the Wayland runtime socket (wayland_runtime_t:sock_file). That seems intentional, since the policy assumes clients interact with Wayland over already-established FDs rather than directly touching the socket inode.

In the container/CDI case, though, we're bind-mounting /run/wayland-0 into the container, so the runtime (runc under dockerd_t) ends up needing filesystem-level access to the socket. That results in AVCs like { ioctl } on wayland_runtime_t:sock_file, which aren't covered by the existing client attribute rules.

So instead of broadening wayland_client_domain() (which would affect all clients), this keeps the extra permissions explicit and opt-in for domains that actually need to interact with the socket at the file level (like container runtimes).

If the preference is to improve upstream policy instead, another option would be:

  • either extend wayland_client_domain() to optionally cover socket file access
  • or introduce a more narrowly scoped upstream interface for runtime socket access

but given the Wayland model, I thought keeping this separate was safer and more precise.

…session services

Introduce a new tunable to control whether the Docker daemon (dockerd_t)
may connect to user session services over UNIX stream sockets.

This change adds the following interfaces:

    pulseaudio_stream_connect(dockerd_t)
    wayland_stream_connect(dockerd_t)

These permissions allow dockerd to communicate with PulseAudio and Wayland compositor
sockets typically located under /run/user/$UID, which is required for certain container
workloads that need access to the host audio or graphical display.

The access is gated behind a new tunable:

    dockerd_connect_user_services (default: off)

When enabled, the rules are applied via tunable_policy(), providing
administrators explicit control using setsebool.

Both interfaces remain wrapped in optional_policy blocks to ensure the
policy compiles and applies cleanly only when the corresponding PulseAudio
and Wayland policy modules are present.

This approach improves compatibility with containerized desktop workloads
while maintaining secure-by-default behavior and modular SELinux policy design.

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
@pebenito

Copy link
Copy Markdown
Member

kemalrasimsh commented:

You're right that wayland_client_domain() should be the primary mechanism, and I'm not trying to replace it.

The issue I ran into is that wayland_client_domain() only assigns the wayland_client attribute, but it doesn't grant access to the Wayland runtime socket (wayland_runtime_t:sock_file). That seems intentional, since the policy assumes clients interact with Wayland over already-established FDs rather than directly touching the socket inode.

In the container/CDI case, though, we're bind-mounting /run/wayland-0 into the container, so the runtime (runc under dockerd_t) ends up needing filesystem-level access to the socket. That results in AVCs like { ioctl } on wayland_runtime_t:sock_file, which aren't covered by the existing client attribute rules.

So instead of broadening wayland_client_domain() (which would affect all clients), this keeps the extra permissions explicit and opt-in for domains that actually need to interact with the socket at the file level (like container runtimes).

If the preference is to improve upstream policy instead, another option would be:

  • either extend wayland_client_domain() to optionally cover socket file access
  • or introduce a more narrowly scoped upstream interface for runtime socket access

but given the Wayland model, I thought keeping this separate was safer and more precise.

@aerusso any further response to this?

@aerusso

aerusso commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@pebenito I need to look at this more closely. I had not originally appreciated the already open distinction (and I want to look at what is going on in my own policies). My first thought is we may want to have an "open new connections" and wayland_client_domain interface. I do feel like everything that's a client should at least be wayland_client_domain, but again I need to think about this more carefully.

@kemalrasimsh Thanks for clarifying!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants