This repo contains an SELinux policy module and an install script. The custom policy enables confined containers to mount UNIX domain sockets—such as /var/run/docker.sock—into container volumes. This is required for containers like Traefik, Portainer, Watchtower, Dozzle, and similar tools that interact with the Docker API.
You should use an intermediary like docker socket proxy to reduce risk when exposing the Docker socket.
Example volume mount this policy allows:
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro,ZNote: This policy allows any UNIX domain socket labeled container_runtime_t or container_var_run_t to be mounted into any confined container (container_t). It is not limited to the Docker socket.
In systems where SELinux is enforced, direct communication between confined containers and the Docker UNIX socket (/var/run/docker.sock) is blocked by default. This policy module:
- Allows
container_tprocesses to connect tocontainer_runtime_tlabeled UNIX stream sockets. - Grants write access to
container_var_run_t-labeled socket files.
These permissions are sufficient to enable interaction with Docker through a controlled proxy such as the docker socket proxy, without fully disabling SELinux protections or relabeling the socket.
This policy is intended to be as minimal and scoped as possible, granting only the specific access required for this use case.
This bash install script is only tested to work on fedora systems, but should work on anything rhel as well. The Policy itself will work on any SELinux enabled system. To build and install the policy module on a fedora system with SELinux enabled:
curl -fsSL https://raw.githubusercontent.com/sghost13/selinux-docker-socket/main/install.sh | bashThis project is licensed under the MIT No Attribution License (MIT-0).