[libvirt] [PATCH 3/3] Honour filesystem readonly flag & make special FS readonly

Daniel P. Berrange berrange at redhat.com
Fri Jul 22 14:09:25 UTC 2011

On Fri, Jul 22, 2011 at 08:03:59AM -0600, Eric Blake wrote:
> On 07/22/2011 07:42 AM, Daniel P. Berrange wrote:
> >From: "Daniel P. Berrange"<berrange at redhat.com>
> >
> >A container should not be allowed to modify stuff in /sys
> >or /proc/sys so make them readonly. Make /selinux readonly
> >so that containers think that selinux is disabled.
> Are we ever going to want to mix selinux and containers?  But for
> now, I guess this makes sense.

Yes, I have patches that support sVirt with LXC but they're not
quite ready. SELinux is something that is enabled from the host
OS pov though. eg the container init process is run with an
sVirt container, and all further processes inherit this.

What this change is doing, is making the container OS think
that SELinux is not enabled. This is not true, but we need
to trick it, otherwise the container will try to use SELinux
which won't work, because you can't have different policy
inside the container vs the host OS, the host OS has to be
in control

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list