[systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?

[Lennart Poettering]

On Mon, 25.04.11 20:51, microcai (microcai at fedoraproject.org) wrote:

> 于 2011年04月25日 20:43, Daniel J Walsh 写道:
> > SELinux  would be a good start.
> 
> No, root inside can still change SE-Linux policy.

No. The SELinux policy can forbid reloading the SELinux policy for
certain users/processes.

SELinux should work fine to secure nspawn containers.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.