On Mon, Aug 24, 2015 at 1:30 PM, Daniel J Walsh <[email protected]> wrote: > > > On 08/23/2015 08:10 AM, arnaud gaboury wrote: >> Here is my setup: >> >> Host: Archlinux systemd 224-1 >> Container: Fedora 22 systemd 219 >> >> The container is a server and has vocation to be one day deployed on a >> dediacted server for production. In this way, I would like to set >> SElinux (default in Fedora). Unfortunately, doing it in Arch host is >> not a trivial affair and as host is a desktop, I would like to avoid. >> >> For now, SElinux is enabled in the Kernel with disables at boot with >> selinux=0. >> >> Is there any way to enable and configure SElinux only in the >> container? Looking at capabilities(7) did not give me any hints. As a >> side note, CAP_SYS_MODULE does not work for container. I guess it is >> due to systemd 219 on the container ? >> >> Thank you. >> > You would have to write a policy for this. You could write a policy > where everything is > an unconfined domain, but the containers run confined. > > You would write something where the kernel, systemd ... all run as os_t, > then allow > docker or other domain to transition the container domain. container_t. > > But this would not give you fine grained control within the container. > > It also would probably require a lot of policy writing. But would seem > to be a good > university project...
Thank you for these details. Unfortunately, 50 years old and too late for any university project :-( As I have many other things to build/code for my current project (build/deploy R[0] web apps), I will take care of SElinux once I am on the production server. [0]https://www.r-project.org/ -- google.com/+arnaudgabourygabx _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
