Line 1: |
Line 1: |
| SELinux is protecting the file system, and the host from attack from inside of a container. | | SELinux is protecting the file system, and the host from attack from inside of a container. |
| | | |
− | The initial SELinux policy for containers was written for a tool called [https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ virt-sandbox] that used libvirt to launch containers, specifically it used libvirt-lxc. | + | The initial SELinux policy for containers was written for a tool called [https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ virt-sandbox], which used libvirt, specifically libvirt-lxc, to launch containers. This first type was called <code>svirt_lxc_t</code> and it is not allowed to have network access. |
− | This first type was called <code>svirt_lxc_t</code> and it is not allowed to have network access. | |
| The successor of <code>svirt_lxc_t</code> is called <code>svirt_lxc_net_t</code> and allows full network access. | | The successor of <code>svirt_lxc_t</code> is called <code>svirt_lxc_net_t</code> and allows full network access. |
| The type for content that the <code>svirt_lxc</code> types could manage is named <code>svirt_sandbox_file_t</code>. | | The type for content that the <code>svirt_lxc</code> types could manage is named <code>svirt_sandbox_file_t</code>. |
Line 14: |
Line 13: |
| | | |
| The Docker daemon and Podman are usually running as <code>container_runtime_t</code>, and the default label for content in <code>/var/lib/docker</code> and <code>/var/lib/containers</code> is <code>container_var_lib_t</code>. | | The Docker daemon and Podman are usually running as <code>container_runtime_t</code>, and the default label for content in <code>/var/lib/docker</code> and <code>/var/lib/containers</code> is <code>container_var_lib_t</code>. |
| + | |
| + | == SELinux Security Policy Example == |
| + | |
| + | On systems running SELinux, all processes and files are labeled with security-relevant information known as SELinux context. For files, this context can be viewed using the <code>ls -Z</code> command, and for processes, it can be viewed with the <code>ps -Z</code> command. |
| + | |
| + | |
| + | Example: <code>system_u:system_r:container_t:s0:c356,c371</code> |
| + | |
| + | {| class="wikitable" |
| + | |- |
| + | ! Description !! Label |
| + | |- |
| + | | SELinux user || <code>system_u</code> |
| + | |- |
| + | | SELinux role || <code>system_r</code> |
| + | |- |
| + | | A shared type || <code>container_t</code> |
| + | |- |
| + | | Secret-level || <code>s0</code> |
| + | |- |
| + | | Unique category || <code>c356,c371</code> |
| + | |} |
| | | |
| == Using correct SELinux label to parasite socket == | | == Using correct SELinux label to parasite socket == |