291
edits
Changes
mLine 1:
Line 1: − + − Line 14:
Line 13: + + + + + + + + + + + + + + + + + + + + + +
no edit summary
SELinux is protecting the file system, and the host from attack from inside of a container.
SELinux is protecting the file system, and the host from attack from inside of a container.
The initial SELinux policy for containers was written for a tool called virt-sandbox that used libvirt to launch containers, specifically it used libvirt-lxc.
The initial SELinux policy for containers was written for a tool called [https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ virt-sandbox], which used libvirt, specifically libvirt-lxc, to launch containers. This first type was called <code>svirt_lxc_t</code> and it is not allowed to have network access.
This first type was called <code>svirt_lxc_t</code> and it is not allowed to have network access.
The successor of <code>svirt_lxc_t</code> is called <code>svirt_lxc_net_t</code> and allows full network access.
The successor of <code>svirt_lxc_t</code> is called <code>svirt_lxc_net_t</code> and allows full network access.
The type for content that the <code>svirt_lxc</code> types could manage is named <code>svirt_sandbox_file_t</code>.
The type for content that the <code>svirt_lxc</code> types could manage is named <code>svirt_sandbox_file_t</code>.
The Docker daemon and Podman are usually running as <code>container_runtime_t</code>, and the default label for content in <code>/var/lib/docker</code> and <code>/var/lib/containers</code> is <code>container_var_lib_t</code>.
The Docker daemon and Podman are usually running as <code>container_runtime_t</code>, and the default label for content in <code>/var/lib/docker</code> and <code>/var/lib/containers</code> is <code>container_var_lib_t</code>.
== SELinux Security Policy Example ==
On systems running SELinux, all processes and files are labeled with security-relevant information known as SELinux context. For files, this context can be viewed using the <code>ls -Z</code> command, and for processes, it can be viewed with the <code>ps -Z</code> command.
Example: <code>system_u:system_r:container_t:s0:c356,c371</code>
{| class="wikitable"
|-
! Description !! Label
|-
| SELinux user || <code>system_u</code>
|-
| SELinux role || <code>system_r</code>
|-
| A shared type || <code>container_t</code>
|-
| Secret-level || <code>s0</code>
|-
| Unique category || <code>c356,c371</code>
|}
== Using correct SELinux label to parasite socket ==
== Using correct SELinux label to parasite socket ==