Quoting Krzysztof Taraszka (krzysztof.taraszka@xxxxxxxxxxxxxx): > 2009/8/25 Serge E. Hallyn <serue@xxxxxxxxxx> > > > Quoting Daniel Lezcano (daniel.lezcano@xxxxxxx): > > > Krzysztof Taraszka wrote: > > >> Hi, > > >> > > >> I was looking for possibility to secure lxc container to do not allow > > 'root > > >> container user' from changing limits from cgroup. Right now without > > STACK64 > > >> or SELinux he can do this easily. > > >> I read the > > http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook > > >> and decided to use STACK64 kernel mechanism. > > >> Well... mounting cgroup inside container fails (great!, i am looked for > > that > > >> ;)) but networking fails too (interface bring up, sshd bring up, > > connection > > >> beetween host and container is, but 'mtr', 'ping' even 'apt-get update' > > >> fails and I do not know why). I secure my container exactly like in the > > >> cookbook. > > > > Yeah, smack's use of cipso can make things tricky, and it's possible things > > have changed a bit recently. Although I'm currently running smack in my > > everyday s390 kernel to test checkpointing of its labels, and networking > > is working fine. > > > > Can you give me a few details - what distro, smack policy, and precise > > kernel > > version are you using, for starters? > > > > debian lenny amd64, > kernel 2.6.30.5 > lxc-tools from git > > lxc1amd64:~# cat /etc/smackaccesses > debian _ rwa > _ debian rwa > _ host rwax > host _ rwax Ok, I think what you want to do is use /smack/netlabel as shown around line 425 in linux-2.6/Documentation/Smack.txt. I haven't played with it yet, but will tomorrow if you don't get a chance. So basically I think you should be able to do: echo 127.0.0.1 -CIPSO > /smack/netlabel echo 0.0.0.0/0 @ > /smack/netlabel to open up the network. Does that work? -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
