Question about container_runtime_domain about container-selinux HOT 7 CLOSED

Sure, I have no problem doing that.
Would you like to open a PR?

from container-selinux.

BTW What container engine are you interested in?

from container-selinux.

@rhatdan It's a custom engine built directly with libcontainer. I've been working on SELinux support and, being a total noob, have to consider all options. The problem with our use-case is that systemd runs quite a few services (instead of simpler case of a single service) so a way to confine all of them is still unclear to me.

I've first looked into labeling the rootfs entirely with the host rules but ran into major issues that would amount to a lot of SELinux configuration to make this work. Additionally, I've never found a way to do away with the ambiguity of having two etc_t, var_t, etc. without giving the binary the permissions to manage the content on host but only inside of rootfs.

So, my next idea is to tailor as much as possible from this project, hence I wondered if it was possible to re-use the policy without too much duplication while still being open for changes.

from container-selinux.

I just pushed a new version of container-selinux. Which includes the container_runtime_domain attribute.
You can create a type with the interface
container_runtime_domain_template(mycontainer_runtime)

This will create a myconfiner_runtime_t type that should allow you to launch containers and extend the type.

Please try it out.

from container-selinux.

@wrabcak FYI

from container-selinux.

@rhatdan Thanks a lot!

from container-selinux.

Great idea @a-palchikov @rhatdan, AFAIK there is no need to do anything in selinux-policy.

Thank you for heads up!
Lukas

from container-selinux.