Re: leaving setfcap in docker containers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/05/2013 05:52 AM, Matthew Miller wrote:
> On Fri, Oct 04, 2013 at 06:16:18PM -0400, Daniel J Walsh wrote:
>>> Another question, probably a dumb one. Will this work with the lxc-tools 
>>> approach or just with libvirt-lxc?
>> We can work with it on the lxc version, but I am not sure if it will work
>> easily.
> 
> But libvirt _does_ make it easy? Again, sorry if these are silly questions.
> :)

I haven't tried containers yet, as Dan stated libvirt has always supported confinement of
guests via sVirt.

If you want to do a quick test:

  $ ls -lZ /var/lib/libvirt/images/fed18.qcow2
  -rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c920,c980
  /var/lib/libvirt/images/fed18.qcow2

  $ ps -eZ | grep qemu
  system_u:system_r:svirt_t:s0:c920,c980 30017 ? 00:00:16 qemu-system-x86


As you can notice above, QEMU process and its associated disk image have a
*unique* SELinux label. So, even if the QEMU process is compromised, it cannot
spill over to other processes.


/kashyap
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux