[systemd-devel] SElinux in container
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 24 04:55:05 PDT 2015
On 08/24/2015 07:49 AM, arnaud gaboury wrote:
> On Mon, Aug 24, 2015 at 1:30 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>
>> On 08/23/2015 08:10 AM, arnaud gaboury wrote:
>>> Here is my setup:
>>>
>>> Host: Archlinux systemd 224-1
>>> Container: Fedora 22 systemd 219
>>>
>>> The container is a server and has vocation to be one day deployed on a
>>> dediacted server for production. In this way, I would like to set
>>> SElinux (default in Fedora). Unfortunately, doing it in Arch host is
>>> not a trivial affair and as host is a desktop, I would like to avoid.
>>>
>>> For now, SElinux is enabled in the Kernel with disables at boot with selinux=0.
>>>
>>> Is there any way to enable and configure SElinux only in the
>>> container? Looking at capabilities(7) did not give me any hints. As a
>>> side note, CAP_SYS_MODULE does not work for container. I guess it is
>>> due to systemd 219 on the container ?
>>>
>>> Thank you.
>>>
>> You would have to write a policy for this. You could write a policy
>> where everything is
>> an unconfined domain, but the containers run confined.
>>
>> You would write something where the kernel, systemd ... all run as os_t,
>> then allow
>> docker or other domain to transition the container domain. container_t.
>>
>> But this would not give you fine grained control within the container.
>>
>> It also would probably require a lot of policy writing. But would seem
>> to be a good
>> university project...
> Thank you for these details. Unfortunately, 50 years old and too late
> for any university project :-(
> As I have many other things to build/code for my current project
> (build/deploy R[0] web apps), I will take care of SElinux once I am on
> the production server.
>
> [0]https://www.r-project.org/
>
>
I will write a blog on it and see if we could get a guinea pig.
More information about the systemd-devel
mailing list