docker: make rootlesskit optional

Avoid a potential build error and circular dependency by making
rootlesskit optional. Note that rootlesskit is still required in order
for rootless docker to function.

Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

2 files changed, 11 insertions, 5 deletions

diff --git a/policy/modules/services/docker.if b/policy/modules/services/docker.if
index c3ac8174..532fa441 100644
--- a/policy/modules/services/docker.if
+++ b/policy/modules/services/docker.if
@@ -178,8 +178,6 @@ template(`docker_user_role',`
 	docker_run_user_daemon($3, $4)
 	docker_run_user_cli($3, $4)
 
-	rootlesskit_role($1, $2, $3, $4)
-
 	ifdef(`init_systemd',`
 		systemd_user_daemon_domain($1, dockerd_exec_t, dockerd_user_t)
 		systemd_user_send_systemd_notify($1, dockerd_user_t)
@@ -188,6 +186,10 @@ template(`docker_user_role',`
 	optional_policy(`
 		dbus_spec_session_bus_client($1, dockerd_user_t)
 	')
+
+	optional_policy(`
+		rootlesskit_role($1, $2, $3, $4)
+	')
 ')
 
 ########################################
@@ -229,5 +231,7 @@ interface(`docker_signal_user_daemon',`
 interface(`docker_admin',`
 	docker_run_cli($1, $2)
 
-	rootlesskit_run($1, $2)
+	optional_policy(`
+		rootlesskit_run($1, $2)
+	')
 ')
diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
index 0e2e2e68..bb5eeb49 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -125,8 +125,6 @@ mount_exec(dockerd_user_t)
 container_setattr_container_ptys(dockerd_user_t)
 container_use_container_ptys(dockerd_user_t)
 
-rootlesskit_exec(dockerd_user_t)
-
 ifdef(`init_systemd',`
 	systemd_search_user_runtime(dockerd_user_t)
 	systemd_write_user_runtime_socket(dockerd_user_t)
@@ -140,6 +138,10 @@ optional_policy(`
 	dbus_write_session_runtime_socket(dockerd_user_t)
 ')
 
+optional_policy(`
+	rootlesskit_exec(dockerd_user_t)
+')
+
 ########################################
 #
 # Rootless Docker CLI local policy