On Fri, Jul 22, 2011 at 08:03:59AM -0600, Eric Blake wrote: > On 07/22/2011 07:42 AM, Daniel P. Berrange wrote: > >From: "Daniel P. Berrange"<berrange@xxxxxxxxxx> > > > >A container should not be allowed to modify stuff in /sys > >or /proc/sys so make them readonly. Make /selinux readonly > >so that containers think that selinux is disabled. > > Are we ever going to want to mix selinux and containers? But for > now, I guess this makes sense. Yes, I have patches that support sVirt with LXC but they're not quite ready. SELinux is something that is enabled from the host OS pov though. eg the container init process is run with an sVirt container, and all further processes inherit this. What this change is doing, is making the container OS think that SELinux is not enabled. This is not true, but we need to trick it, otherwise the container will try to use SELinux which won't work, because you can't have different policy inside the container vs the host OS, the host OS has to be in control Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list