diff options
author | Dan Walsh <dwalsh@redhat.com> | 2016-03-09 09:29:25 -0500 |
---|---|---|
committer | Dan Walsh <dwalsh@redhat.com> | 2016-03-09 11:19:45 -0500 |
commit | 68b020494d1ff085281061413d9236b5865ef238 (patch) | |
tree | 7b9a07add5d2f5f7b7251497f0bd1b712ac3fbae /src/nspawn/nspawn-cgroup.h | |
parent | 280d397ab313b647fbd824d1cb58eb8323c74501 (diff) |
/dev/console must be labeled with SELinux label
If the user specifies an selinux_apifs_context all content created in
the container including /dev/console should use this label.
Currently when this uses the default label it gets labeled user_devpts_t,
which would require us to write a policy allowing container processes to
manage user_devpts_t. This means that an escaped process would be allowed
to attack all users terminals as well as other container terminals. Changing
the label to match the apifs_context, means the processes would only be allowed
to manage their specific tty.
This change fixes a problem preventing RKT containers from working with systemd-nspawn.
Diffstat (limited to 'src/nspawn/nspawn-cgroup.h')
0 files changed, 0 insertions, 0 deletions