On Fri, Feb 26, 2016 at 10:49 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 02/26/2016 10:46 AM, Paul Moore wrote: >> On Fri, Feb 26, 2016 at 7:54 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >>> On Thu, 2016-02-25 at 15:54 -0500, Stephen Smalley wrote: >>>> On 02/25/2016 03:28 PM, Daniel J Walsh wrote: >>>>> >>>>> Currently typebounds only allows one instance. >>>> >>>> It is a hierarchy, where each child has a single parent. So you can >>>> define hierarchies like: >>>> typebounds unconfined_t docker_t; >>>> typebounds docker_t svirt_lxc_net_t; >>>> and then they can both transition because they are both ancestors. >>> >>> Awesome idea. >> >> Would that resolve all your problems Dan with Docker, runc, etc.? >> From our discussions the other day I thought you needed the ability to >> transition to svirt_lxc_net_t from domains other than unconfined_t and >> docker_t ... or was I misunderstanding you? > > Note that it is only exec-based transitions that are affected by > NO_NEW_PRIVS, so one can always leverage dynamic transitions (i.e. setcon) > without requiring typebounds. Sure, but I really dislike recommending the use of setcon(). -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
