On Fri, 2016-02-26 at 10:49 -0500, Stephen Smalley wrote:
> On 02/26/2016 10:46 AM, Paul Moore wrote:
> >
> > On Fri, Feb 26, 2016 at 7:54 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx>
> > wrote:
> > >
> > > On Thu, 2016-02-25 at 15:54 -0500, Stephen Smalley wrote:
> > > >
> > > > On 02/25/2016 03:28 PM, Daniel J Walsh wrote:
> > > > >
> > > > > Currently typebounds only allows one instance.
> > > > It is a hierarchy, where each child has a single parent. So
> > > > you can
> > > > define hierarchies like:
> > > > typebounds unconfined_t docker_t;
> > > > typebounds docker_t svirt_lxc_net_t;
> > > > and then they can both transition because they are both
> > > > ancestors.
> > > Awesome idea.
> > Would that resolve all your problems Dan with Docker, runc, etc.?
> > >
> > > From our discussions the other day I thought you needed the
> > > ability to
> > transition to svirt_lxc_net_t from domains other than unconfined_t
> > and
> > docker_t ... or was I misunderstanding you?
> >
> Note that it is only exec-based transitions that are affected by
> NO_NEW_PRIVS, so one can always leverage dynamic transitions (i.e.
> setcon) without requiring typebounds.
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@tycho
> .nsa.gov.
>
>
BTW I turned on the expand-check=1 in semanage.conf and semodule -B
went nuts and crashed.
On this policy.
policy_module(mypol, 1.0)
require {
type svirt_lxc_net_t;
type docker_t;
type svirt_sandbox_file_t;
type unconfined_t;
}
allow unconfined_t svirt_sandbox_file_t:file entrypoint;
allow docker_t svirt_sandbox_file_t:file entrypoint;
typebounds unconfined_t docker_t;
typebounds docker_t svirt_lxc_net_t;
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
