-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run time security for containers using udica #75
Comments
@wrabcak wouldn't applying a new SELinux policy require a container restart either way? thought you needed to set SELinux labels on process start. |
Can we provide default selinux profile with certain profiles for containers
and overriding containers with daemon sighup . This will certainly improve
sel implementation in containers
…On Fri, 18 Sep 2020, 19:05 Juan Osorio Robles, ***@***.***> wrote:
@wrabcak <https://github.com/wrabcak> wouldn't applying a new SELinux
policy require a container restart either way? thought you needed to set
SELinux labels on process start.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#75 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/APYLVFQ7SZWZ6FDRCQZZOSDSGNO2LANCNFSM4RR3S27A>
.
|
@JAORMX, there is a possibility to force label change during process runtime, but I don't know if it's possible for containers. |
Uhm...that might be an RFE then for the container runtime (e.g. Podman) more than Udica. |
Sorry, it's not possible discuss with SELinux userspace maintainer. |
Runtime Security
After creating my_container.process for a container can we make it t apply to container without restarting the containers.
Describe the solution you'd like
Running a udica daemon to capture the container specs to create and applying SIGHUP to the daemon to hot reload
Describe alternatives you've considered
Running daemonsets in all nodes or one daemon to all nodes to
.
The text was updated successfully, but these errors were encountered: