I wrote a more detailed blog on this. http://danwalsh.livejournal.com/73416.html On 09/16/2015 04:55 PM, Daniel J Walsh wrote: > They are only confined on certain domains. > > seinfo -amcs_constrained_type -x > mcs_constrained_type > netlabel_peer_t > docker_apache_t > openshift_t > openshift_app_t > sandbox_min_t > sandbox_x_t > sandbox_web_t > sandbox_net_t > svirt_t > svirt_tcg_t > svirt_lxc_net_t > svirt_qemu_net_t > svirt_kvm_net_t > > If you add this attribute to a type it will start enforcing it. > > Adding a policy like this will confine guest_t > > policy_module(mymcs, 1.0) > gen_requite(` > type guest_t > ') > > typeattribute guest_t mcs_constrained_type; -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
