More open but not privileged domain? #43
Comments
|
security-opt label:disable does not disable SELinux, it just disables SELinux separation for the container running, the container as spc_t, which is pretty much the same as unconfined_t. You could also attempt to run --security-opt label=type:unconfined_t which should get close to what you want if it works. |
|
Yeah, but |
|
There's a whole other topic here in that I am increasingly feeling Docker isn't the right solution for "user pet containers" as I really want the container to be a child process of my login session for example. But...that's a whole other thing. |
|
cgwalters, kpod might give you something closer. |
|
We now have container_userns_t domain whose goal is to satisfy these needs. |
|
@cgwalters https://github.com/containers/udica is an effort to facilitate this. |
I'm using Fedora Atomic Workstation:
And previously my "devshell" container was run with
--privileged, which I'm trying to get away from for obvious reasons. However, my daily development involves testing rpm-ostree which uses bwrap. I am running with--security-opt seccomp:unconfinedsince I obviously want to be able to use strace/gdb in my devshell. However, the default SELinux policy denies a lot of things that one wants to do when creating user namespaces.type=AVC msg=audit(1510840822.440:772): avc: denied { mount } for pid=27009 comm="bwrap" name="/" dev="tmpfs" ino=313846 scontext=system_u:system_r:container_t:s0:c47,c237 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0Now, things do work with
--security-opt label:disable. But I actually want some of the protections of SELinux here. So, maybe something like--security-opt label:unconfined? Basically the way I think of this is it should have a quite similar set of permissions as a default unprivileged login shell i.e.unconfined_t.The text was updated successfully, but these errors were encountered: