On 08/23/2015 08:10 AM, arnaud gaboury wrote: > Here is my setup: > > Host: Archlinux systemd 224-1 > Container: Fedora 22 systemd 219 > > The container is a server and has vocation to be one day deployed on a > dediacted server for production. In this way, I would like to set > SElinux (default in Fedora). Unfortunately, doing it in Arch host is > not a trivial affair and as host is a desktop, I would like to avoid. > > For now, SElinux is enabled in the Kernel with disables at boot with > selinux=0. > > Is there any way to enable and configure SElinux only in the > container? Looking at capabilities(7) did not give me any hints. As a > side note, CAP_SYS_MODULE does not work for container. I guess it is > due to systemd 219 on the container ? > > Thank you. > You would have to write a policy for this. You could write a policy where everything is an unconfined domain, but the containers run confined.
You would write something where the kernel, systemd ... all run as os_t, then allow docker or other domain to transition the container domain. container_t. But this would not give you fine grained control within the container. It also would probably require a lot of policy writing. But would seem to be a good university project... _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
