From a8828ed93878b4b4866d40ebfb660e54995ff72e Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 30 Jan 2014 16:28:02 -0500 Subject: Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh --- man/systemd-nspawn.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'man/systemd-nspawn.xml') diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index bec233c1ca..08b0457d16 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -248,6 +248,27 @@ + + + + + Sets the mandatory + access control (MAC) file label to be + used by tmpfs file systems in the + container. + + + + + + + + Sets the mandatory + access control (MAC) label to be used by + processes in the container. + + + @@ -456,6 +477,14 @@ btrfs snapshot. + + Example 6 + + # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container +# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh + + This runs a container with SELinux sandbox labels. + Exit status -- cgit v1.2.3-54-g00ecf