summaryrefslogtreecommitdiff
path: root/src/nspawn/nspawn-cgroup.h
diff options
context:
space:
mode:
authorDan Walsh <dwalsh@redhat.com>2016-03-09 09:29:25 -0500
committerDan Walsh <dwalsh@redhat.com>2016-03-09 11:19:45 -0500
commit68b020494d1ff085281061413d9236b5865ef238 (patch)
tree7b9a07add5d2f5f7b7251497f0bd1b712ac3fbae /src/nspawn/nspawn-cgroup.h
parent280d397ab313b647fbd824d1cb58eb8323c74501 (diff)
/dev/console must be labeled with SELinux label
If the user specifies an selinux_apifs_context all content created in the container including /dev/console should use this label. Currently when this uses the default label it gets labeled user_devpts_t, which would require us to write a policy allowing container processes to manage user_devpts_t. This means that an escaped process would be allowed to attack all users terminals as well as other container terminals. Changing the label to match the apifs_context, means the processes would only be allowed to manage their specific tty. This change fixes a problem preventing RKT containers from working with systemd-nspawn.
Diffstat (limited to 'src/nspawn/nspawn-cgroup.h')
0 files changed, 0 insertions, 0 deletions