On 3/9/2017 1:03 AM, yangshukui wrote: > I want to use SELinux in system container and only concern the function in the container. > this system container run in vm and every vm has only one system container. > > How do I use now? > docker run ... system-contaier /sbin/init > after init is running ,the following service is also running: > > #this is the part of service file which will run in container after starting the container. > .. > semodule -R #use the policy in container. > restorecon / #if needed > .. > > this method seem to work if host os and the docker images use the same content for rootfs, but if host use > redhat7 and docker images use centos7, it will deny many normal operations , and this let some host service not work. > > If SELinux is permissive in host and enforcing in container ,it will resolve my problem. Unfortunately, > there is no namespace for SELinux. The LSM infrastructure is essentially a set of lists. These lists are rooted globally, but there's no reason* they couldn't be rooted in a namespace. That would give each namespace the option of using whatever security scheme was deemed appropriate. There are a number of issues, such as namespacing policy, that would have to be addressed, but the mechanism could work fine. I would look at patches. --- * Other than the sheer insanity of making security claims about such a system. I would not expect that minor issue to slow demand or deployment any more than it has in the past. > > Isolate SELinux is difficult and it has a lot of work to do, but is easier to isolate selinux_enforcing. > > What do you think ? > > Think you very much. > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
