mirror of https://github.com/containers/podman.git
5b7dce8a3d
The original SELinux support in Docker and Podman does not follow the default SELinux rules for how label transitions are supposed to be handled. Containers always switch their user and role to system_u:system_r, rather then maintain the collers user and role. For example unconfined_u:unconfined_r:container_t:s0:c1,c2 Advanced SELinux administrators want to confine users but still allow them to create containers from their role, but not allow them to launch a privileged container like spc_t. This means if a user running as container_user_u:container_user_r:container_user_t:s0 Ran a container they would get container_user_u:container_user_r:container_t:s0:c1,c2 If they run a privileged container they would run it with: container_user_u:container_user_r:container_user_t:s0 If they want to force the label they would get an error podman run --security-opt label=type:spc_t ... Should fail. Because the container_user_r can not run with the spc_t. SELinux rules would also prevent the user from forcing system_u user and the sytem_r role. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Signed-off-by: Chris Evich <cevich@redhat.com> |
||
|---|---|---|
| .. | ||
| createparse.go | ||
| ports.go | ||
| ports_test.go | ||
| specgen.go | ||
| specgenutil_test.go | ||
| util.go | ||
| util_test.go | ||
| volumes.go | ||
| volumes_test.go | ||