332
edits
Changes
Jump to navigation
Jump to search
mLine 13:
Line 13: + + + + + + + + + + + + + + + + + + + + + +
no edit summary
The Docker daemon and Podman are usually running as <code>container_runtime_t</code>, and the default label for content in <code>/var/lib/docker</code> and <code>/var/lib/containers</code> is <code>container_var_lib_t</code>.
The Docker daemon and Podman are usually running as <code>container_runtime_t</code>, and the default label for content in <code>/var/lib/docker</code> and <code>/var/lib/containers</code> is <code>container_var_lib_t</code>.
== SELinux Security Policy Example ==
On systems running SELinux, all processes and files are labeled with security-relevant information known as SELinux context. For files, this context can be viewed using the <code>ls -Z</code> command, and for processes, it can be viewed with the <code>ps -Z</code> command.
Example: <code>system_u:system_r:container_t:s0:c356,c371</code>
{| class="wikitable"
|-
! Description !! Label
|-
| SELinux user || <code>system_u</code>
|-
| SELinux role || <code>system_r</code>
|-
| A shared type || <code>container_t</code>
|-
| Secret-level || <code>s0</code>
|-
| Unique category || <code>c356,c371</code>
|}
== Using correct SELinux label to parasite socket ==
== Using correct SELinux label to parasite socket ==