[libvirt] Updated patch for virt-sandbox -s inherit
dwalsh at redhat.com
Tue Aug 13 17:10:10 UTC 2013
> -s static,label=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Well running "virt-sandbox -s inherit" would run as unconfined_t for most users.
I the future we need to add a check to libvirt to ask SELinux if it is ok for a user to transiton to the label, rather then just to do it.
Imagine a confined admin which is allowed to generate containers, he should
only be allowed to generate containers with processes labels that he can
transition into, not that libvirt can transition into.
[sandbox PATCH 1/2] Add virt-sandbox -s inherit, to execute the
[sandbox PATCH 2/2] Unit files only exist in Systemd Containers.
More information about the libvir-list