Booom...mind is blown. namespaces are kernel resources, and labeling them has been working so far. On Wed, Jan 15, 2014 at 6:25 PM, Eric Paris <eparis@xxxxxxxxxxxxxx> wrote: > Just to blow everyone's minds: The first thought that came to me was > that the only way to make this useful is to actually put a label on > the user namespace. > > If I create a container, and then a container inside that container, > I'd think selinux should be able to control the capabilities at the > second level down. Dan's only asking about one level down... > > On Wed, Jan 15, 2014 at 4:04 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I think we need the kernel to start checking container Capabilities rather >> then system capabilities. >> >> I would like to be able to say something like >> >> allow svirt_lxc_net_t self:nscapability sys_admin; >> >> This way we can use MAC to better control break out of user namespace. >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+ >> h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs >> =g8UL >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Selinux mailing list >> Selinux@xxxxxxxxxxxxx >> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Respectfully, William C Roberts _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
