mirror of https://github.com/containers/podman.git
ad8a96ab95
Currently Podman prevents SELinux container separation, when running within a container. This PR adds a new --security-opt label=nested When setting this option, Podman unmasks and mountsi /sys/fs/selinux into the containers making /sys/fs/selinux fully exposed. Secondly Podman sets the attribute run.oci.mount_context_type=rootcontext This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL as opposed to context=MOUNTLABEL. With these two settings Podman inside the container is allowed to set its own SELinux labels on tmpfs file systems mounted into its parents container, while still being confined by SELinux. Thus you can have nested SELinux labeling inside of a container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> |
||
|---|---|---|
| .. | ||
| kube | ||
| config_linux.go | ||
| config_linux_cgo.go | ||
| config_linux_nocgo.go | ||
| config_linux_test.go | ||
| container.go | ||
| container_create.go | ||
| namespaces.go | ||
| namespaces_freebsd.go | ||
| namespaces_linux.go | ||
| namespaces_unsupported.go | ||
| oci.go | ||
| oci_freebsd.go | ||
| oci_linux.go | ||
| oci_unsupported.go | ||
| pause_image.go | ||
| pod_create.go | ||
| pod_create_test.go | ||
| ports.go | ||
| ports_bench_test.go | ||
| ports_test.go | ||
| rlimit_int64.go | ||
| rlimit_uint64.go | ||
| security_freebsd.go | ||
| security_linux.go | ||
| security_unsupported.go | ||
| storage.go | ||
| validate.go | ||