Changes

Jump to navigation Jump to search
m
no edit summary
Line 13: Line 13:     
The Docker daemon and Podman are usually running as <code>container_runtime_t</code>, and the default label for content in <code>/var/lib/docker</code> and <code>/var/lib/containers</code> is <code>container_var_lib_t</code>.
 
The Docker daemon and Podman are usually running as <code>container_runtime_t</code>, and the default label for content in <code>/var/lib/docker</code> and <code>/var/lib/containers</code> is <code>container_var_lib_t</code>.
 +
 +
== SELinux Security Policy Example ==
 +
 +
On systems running SELinux, all processes and files are labeled with security-relevant information known as SELinux context. For files, this context can be viewed using the <code>ls -Z</code> command, and for processes, it can be viewed with the <code>ps -Z</code> command.
 +
 +
 +
Example: <code>system_u:system_r:container_t:s0:c356,c371</code>
 +
 +
{| class="wikitable"
 +
|-
 +
! Description !! Label
 +
|-
 +
| SELinux user || <code>system_u</code>
 +
|-
 +
| SELinux role || <code>system_r</code>
 +
|-
 +
| A shared type || <code>container_t</code>
 +
|-
 +
| Secret-level || <code>s0</code>
 +
|-
 +
| Unique category || <code>c356,c371</code>
 +
|}
    
== Using correct SELinux label to parasite socket ==
 
== Using correct SELinux label to parasite socket ==
327

edits

Navigation menu