leaving setfcap in docker containers
Kashyap Chamarthy
kashyapc at fedoraproject.org
Mon Oct 7 09:06:40 UTC 2013
On 10/05/2013 05:52 AM, Matthew Miller wrote:
> On Fri, Oct 04, 2013 at 06:16:18PM -0400, Daniel J Walsh wrote:
>>> Another question, probably a dumb one. Will this work with the lxc-tools
>>> approach or just with libvirt-lxc?
>> We can work with it on the lxc version, but I am not sure if it will work
>> easily.
>
> But libvirt _does_ make it easy? Again, sorry if these are silly questions.
> :)
I haven't tried containers yet, as Dan stated libvirt has always supported confinement of
guests via sVirt.
If you want to do a quick test:
$ ls -lZ /var/lib/libvirt/images/fed18.qcow2
-rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c920,c980
/var/lib/libvirt/images/fed18.qcow2
$ ps -eZ | grep qemu
system_u:system_r:svirt_t:s0:c920,c980 30017 ? 00:00:16 qemu-system-x86
As you can notice above, QEMU process and its associated disk image have a
*unique* SELinux label. So, even if the QEMU process is compromised, it cannot
spill over to other processes.
/kashyap
More information about the security
mailing list