[systemd-devel] systemd-nspawn + SELinux
Lennart Poettering
lennart at poettering.net
Thu Jun 5 08:14:42 PDT 2014
On Thu, 05.06.14 15:05, Jan Synacek (jsynacek at redhat.com) wrote:
>
> Is there a way to get it working? I'm using systemd-nspawn to start
> a Fedora Rawhide container.
>
> # systemd-nspawn -bD /srv/rawhide
> ...
> <now inside the container>
>
> # getenforce
> Disabled
SELinux is not virtualized, there's only one selinux policy available in
the kernel, and there's no concept of per-container policies.
You can only use SELinux on the host, and each container should really
run under a single label.
(On the lower-level: /sys/fs/selinux is mounted read-only for the
containers, which is indication to libselinux in the container, to claim
that selinux being disabled.)
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list