On Fri, 2016-02-26 at 12:13 -0500, Paul Moore wrote: > On Fri, Feb 26, 2016 at 10:49 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> > wrote: > > > > On 02/26/2016 10:46 AM, Paul Moore wrote: > > > > > > On Fri, Feb 26, 2016 at 7:54 AM, Daniel J Walsh <dwalsh@xxxxxxxxx > > > m> wrote: > > > > > > > > On Thu, 2016-02-25 at 15:54 -0500, Stephen Smalley wrote: > > > > > > > > > > On 02/25/2016 03:28 PM, Daniel J Walsh wrote: > > > > > > > > > > > > > > > > > > Currently typebounds only allows one instance. > > > > > It is a hierarchy, where each child has a single parent. So > > > > > you can > > > > > define hierarchies like: > > > > > typebounds unconfined_t docker_t; > > > > > typebounds docker_t svirt_lxc_net_t; > > > > > and then they can both transition because they are both > > > > > ancestors. > > > > Awesome idea. > > > Would that resolve all your problems Dan with Docker, runc, etc.? > > > From our discussions the other day I thought you needed the > > > ability to > > > transition to svirt_lxc_net_t from domains other than > > > unconfined_t and > > > docker_t ... or was I misunderstanding you? > > Note that it is only exec-based transitions that are affected by > > NO_NEW_PRIVS, so one can always leverage dynamic transitions (i.e. > > setcon) > > without requiring typebounds. > Sure, but I really dislike recommending the use of setcon(). > Definitely would not work in the case of go, since fork/exec are pretty much the same command. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
