[systemd-devel] SElinux in container
arnaud gaboury
arnaud.gaboury at gmail.com
Mon Aug 24 04:49:26 PDT 2015
On Mon, Aug 24, 2015 at 1:30 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
>
> On 08/23/2015 08:10 AM, arnaud gaboury wrote:
>> Here is my setup:
>>
>> Host: Archlinux systemd 224-1
>> Container: Fedora 22 systemd 219
>>
>> The container is a server and has vocation to be one day deployed on a
>> dediacted server for production. In this way, I would like to set
>> SElinux (default in Fedora). Unfortunately, doing it in Arch host is
>> not a trivial affair and as host is a desktop, I would like to avoid.
>>
>> For now, SElinux is enabled in the Kernel with disables at boot with selinux=0.
>>
>> Is there any way to enable and configure SElinux only in the
>> container? Looking at capabilities(7) did not give me any hints. As a
>> side note, CAP_SYS_MODULE does not work for container. I guess it is
>> due to systemd 219 on the container ?
>>
>> Thank you.
>>
> You would have to write a policy for this. You could write a policy
> where everything is
> an unconfined domain, but the containers run confined.
>
> You would write something where the kernel, systemd ... all run as os_t,
> then allow
> docker or other domain to transition the container domain. container_t.
>
> But this would not give you fine grained control within the container.
>
> It also would probably require a lot of policy writing. But would seem
> to be a good
> university project...
Thank you for these details. Unfortunately, 50 years old and too late
for any university project :-(
As I have many other things to build/code for my current project
(build/deploy R[0] web apps), I will take care of SElinux once I am on
the production server.
[0]https://www.r-project.org/
--
google.com/+arnaudgabourygabx
More information about the systemd-devel
mailing list