leaving setfcap in docker containers
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 7 11:55:31 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/04/2013 08:22 PM, Matthew Miller wrote:
> On Fri, Oct 04, 2013 at 06:16:18PM -0400, Daniel J Walsh wrote:
>>> Another question, probably a dumb one. Will this work with the
>>> lxc-tools approach or just with libvirt-lxc?
>> We can work with it on the lxc version, but I am not sure if it will
>> work easily.
>
> But libvirt _does_ make it easy? Again, sorry if these are silly
> questions. :)
>
Yes libvirt makes it much easier because it is built in. To get this to work
with lxc tool set we need to add a patch to lxc to launch that applications
that run within a container with a particular SELinux label. This means we
need to patch docker to take an SELinux label or to pick a default, and then
pass it to lxc which will tell the kernel what label to launch. We already do
this with the libvirt-sandbox tools, and libvirt-lxc does the setup and launch
with the correct label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJSoTMACgkQrlYvE4MpobPkrQCgvf9uYoTWHU0tBtdBG6mIshfI
6LsAn3GReKJ2DlHE+qmdtWQINXZpo+1E
=vgoA
-----END PGP SIGNATURE-----
More information about the security
mailing list