-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/26/2011 01:54 PM, Lennart Poettering wrote: > On Mon, 25.04.11 20:51, microcai ([email protected]) wrote: > >> 于 2011年04月25日 20:43, Daniel J Walsh 写道: >>> SELinux would be a good start. >> >> No, root inside can still change SE-Linux policy. > > No. The SELinux policy can forbid reloading the SELinux policy for > certain users/processes. > > SELinux should work fine to secure nspawn containers. > > Lennart > Right the idea would be to run all processes within te nspawn container with the same process label, then only allow the access required for the container. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk23B90ACgkQrlYvE4MpobNUXACgma9He3gGO6tZdv7WVwJaE0oe mUsAoJ2GMaDRfP7hpflfS3Eqx3wEQKtM =CqeA -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
