[systemd-devel] SElinux in container
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 24 04:30:23 PDT 2015
On 08/23/2015 08:10 AM, arnaud gaboury wrote:
> Here is my setup:
>
> Host: Archlinux systemd 224-1
> Container: Fedora 22 systemd 219
>
> The container is a server and has vocation to be one day deployed on a
> dediacted server for production. In this way, I would like to set
> SElinux (default in Fedora). Unfortunately, doing it in Arch host is
> not a trivial affair and as host is a desktop, I would like to avoid.
>
> For now, SElinux is enabled in the Kernel with disables at boot with selinux=0.
>
> Is there any way to enable and configure SElinux only in the
> container? Looking at capabilities(7) did not give me any hints. As a
> side note, CAP_SYS_MODULE does not work for container. I guess it is
> due to systemd 219 on the container ?
>
> Thank you.
>
You would have to write a policy for this. You could write a policy
where everything is
an unconfined domain, but the containers run confined.
You would write something where the kernel, systemd ... all run as os_t,
then allow
docker or other domain to transition the container domain. container_t.
But this would not give you fine grained control within the container.
It also would probably require a lot of policy writing. But would seem
to be a good
university project...
More information about the systemd-devel
mailing list