Comments (7)
Sure, I have no problem doing that.
Would you like to open a PR?
from container-selinux.
BTW What container engine are you interested in?
from container-selinux.
@rhatdan It's a custom engine built directly with libcontainer
. I've been working on SELinux support and, being a total noob, have to consider all options. The problem with our use-case is that systemd runs quite a few services (instead of simpler case of a single service) so a way to confine all of them is still unclear to me.
I've first looked into labeling the rootfs entirely with the host rules but ran into major issues that would amount to a lot of SELinux configuration to make this work. Additionally, I've never found a way to do away with the ambiguity of having two etc_t
, var_t
, etc. without giving the binary the permissions to manage the content on host but only inside of rootfs.
So, my next idea is to tailor as much as possible from this project, hence I wondered if it was possible to re-use the policy without too much duplication while still being open for changes.
from container-selinux.
I just pushed a new version of container-selinux. Which includes the container_runtime_domain attribute.
You can create a type with the interface
container_runtime_domain_template(mycontainer_runtime)
This will create a myconfiner_runtime_t type that should allow you to launch containers and extend the type.
Please try it out.
from container-selinux.
@wrabcak FYI
from container-selinux.
@rhatdan Thanks a lot!
from container-selinux.
Great idea @a-palchikov @rhatdan, AFAIK there is no need to do anything in selinux-policy.
Thank you for heads up!
Lukas
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.