On Fri, Jul 22, 2011 at 08:03:59AM -0600, Eric Blake wrote:
On 07/22/2011 07:42 AM, Daniel P. Berrange wrote:
>From: "Daniel P. Berrange"<berrange(a)redhat.com>
>
>A container should not be allowed to modify stuff in /sys
>or /proc/sys so make them readonly. Make /selinux readonly
>so that containers think that selinux is disabled.
Are we ever going to want to mix selinux and containers? But for
now, I guess this makes sense.
Yes, I have patches that support sVirt with LXC but they're not
quite ready. SELinux is something that is enabled from the host
OS pov though. eg the container init process is run with an
sVirt container, and all further processes inherit this.
What this change is doing, is making the container OS think
that SELinux is not enabled. This is not true, but we need
to trick it, otherwise the container will try to use SELinux
which won't work, because you can't have different policy
inside the container vs the host OS, the host OS has to be
in control
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|