From e14ad1b8fcc430999b2c9ec65e0df27ccce4a807 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Tue, 5 May 2026 15:39:41 +0200
Subject: [PATCH] pkg/docker-engine: rpm: Ship SELinux policy denying AF_ALG
 sockets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ship a CIL policy module that denies AF_ALG socket creation for all
container domains (container_t, spc_t). Like AppArmor, SELinux hooks
into the kernel's security_socket_create() LSM callback, which fires
regardless of whether the socket was created via socket(2) or the
legacy socketcall(2) multiplexer. This blocks AF_ALG selectively
without disrupting other socketcall usage by 32-bit binaries.

This complements the seccomp profile change in moby, which blocks
socket(AF_ALG) but cannot filter socketcall arguments.

On SELinux-only systems (Fedora, RHEL, CentOS) where AppArmor is not
available, this CIL module provides equivalent protection.

Load the module from %post when SELinux is enabled, warning but keeping
installation non-fatal if semodule cannot load it. Remove the module on
uninstall.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 pkg/docker-engine/rpm/docker-ce.spec | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/pkg/docker-engine/rpm/docker-ce.spec b/pkg/docker-engine/rpm/docker-ce.spec
index 28b981f2..8f43c0cd 100644
--- a/pkg/docker-engine/rpm/docker-ce.spec
+++ b/pkg/docker-engine/rpm/docker-ce.spec
@@ -91,6 +91,9 @@ install -D -p -m 0644 engine/contrib/init/systemd/docker.socket ${RPM_BUILD_ROOT
 # install manpages
 make -C ${RPM_BUILD_DIR}/src/engine/man DESTDIR=${RPM_BUILD_ROOT} mandir=%{_mandir} install
 
+# install SELinux policy to deny AF_ALG sockets in container domains
+install -D -m 644 engine/contrib/selinux/docker-af-alg-deny.cil %{buildroot}%{_datadir}/docker-ce/selinux/docker-af-alg-deny.cil
+
 # create the config directory
 mkdir -p ${RPM_BUILD_ROOT}/etc/docker
 
@@ -101,6 +104,7 @@ mkdir -p ${RPM_BUILD_ROOT}/etc/docker
 %{_unitdir}/docker.service
 %{_unitdir}/docker.socket
 %{_mandir}/man*/*
+%{_datadir}/docker-ce/selinux/docker-af-alg-deny.cil
 %dir /etc/docker
 
 %post
@@ -108,11 +112,24 @@ mkdir -p ${RPM_BUILD_ROOT}/etc/docker
 if ! getent group docker > /dev/null; then
     groupadd --system docker
 fi
+# Load the AF_ALG deny policy when SELinux is enabled. This may fail on systems
+# with SELinux userspace < 3.6, or without container-selinux's container_domain
+# attribute, so keep installation non-fatal.
+if command -v semodule > /dev/null 2>&1 && selinuxenabled 2>/dev/null; then
+    if ! semodule -i %{_datadir}/docker-ce/selinux/docker-af-alg-deny.cil 2>/dev/null; then
+        echo "warning: could not load docker-af-alg-deny.cil SELinux policy; AF_ALG SELinux denial is not active" >&2
+    fi
+fi
 
 %preun
 %systemd_preun docker.service docker.socket
 
 %postun
 %systemd_postun_with_restart docker.service
+if [ "$1" -eq 0 ]; then
+    if command -v semodule > /dev/null 2>&1; then
+        semodule -r container-af-alg-deny 2>/dev/null || :
+    fi
+fi
 
 %changelog