root root system_u:object_r:container_share_t:s0 overlay2 root root system_u:object_r:container_var_lib_t:s0 network root root system_u:object_r:container_var_lib_t:s0 lost+found root root system_u:object_r:container_var_lib_t:s0 image root root system_u:object_r:container_var_lib_t:s0 containers root root system_u:object_r:container_var_lib_t:s0 buildkit root root system_u:object_r:container_var_lib_t:s0 builder The files under /var/lib/docker and /var/lib/containers have the label container_var_lib_t. More informaton is available on Dan Walsh’s blog.īy default, containers are run with the label container_t and are allowed to read/execute under /usr and read most content from /etc. Containers leverage the container_t label which is simply an alias to svirt_lxc_net_t and container_file_t which is an alias to svirt_sandbox_file_t. Docker CE requires this package (along with its dependencies) so that the processes and files created by Docker are able to run with limited system access. SELinux policies for containers are defined by the container-selinux package. I have attempted to explain how SELinux works with Containers and how you can get started. I have recently been diving into SELinux for use within highly regulated environments. These operating systems have the best support for SELinux and the corresponding policy modules. In the cloud, if you are looking to run containers on SELinux you will need to run on top of CentOS or Red Hat Enterprise Linux. If you are just getting started with SeLinux, I highly recommend watching “Security-Enhanced Linux for mere mortals by Thomas Cameron”. Containers support running on hosts with SELinux enabled. Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |