By SELinux protection of containers in container using SELinux policy contains one policy module, this module has been published to refpolicy--SELinuxReferencePolicy development mailing list.
Will this policy are downloaded to/root/vs directory vs.if, vs.fc and vs.te file. Like this to compile and install a new module: cpvm.imgselinux.imgcpvm.imgsmack.img then use lxc-debian create/vs1and/vs2 container and use mkdir/vs1; cd/vs1lxc-debiancreatecontainername: vs1hostname: vs1address: 10.0.2.21gateway: 10.0.2.2arch: 2 (i386) mkdir/vs2; cd/vs2lxc-debiancreatecontainername: vs2hostname: vs2address: 10.0.2.22gateway: 10.0.2.2arch: 2 (i386) fixfilesrelabel/vs1fixfilesrelabel/vs2 Relabel the file system. When you start a container (for example by using the command lxc-start-nvs1), are likely to receive some SELinux audit messages to access denied. But don't worry — the container will start normally, and will enable a network service and isolated containers. If you start the container before use mount--bind//vs1/rootfs.vs1/mnt helps to camouflage the container vs1, you'll find that even the root user, it reuses the ls/mnt/root. In order to understand the principle, we look at vs.if interface file. This document defines an interface called a container, it takes one argument (that is, the container will be defined by the base name). Vs.te files use the container name vs1 and vs2 two calls to this function. In this interface, $ 1 is extended to this parameter, so when we call the container (vs1), $ 1_t becomes vs1_t (start here, assume that we are defining a vs1). Contains the contents of the row vs1_exec_t is most important. This container to run vs1_t type. When the execution of the container 's/sbin/init unconfined_t (type vs1_exec_t), it will enter this type. The remainder of the policy is to grant the privileges of full containers, in order to access the various parts of the system: network ports, devices, and consoles, etc. The interface is very long, this is a reference from the current SELinux policy fine granularity characteristics. As we'll see as Smack protection container has a simpler strategy; however, it is a system service behavior when the flexible protection provided is much less. There is one thing to do. It should be noted that, although the container cannot override it by $ 1_exec_t (i.e./sbin/init), but it can execute mv/sbin/sbin.bakmkdir/sbin/init sbintouch/generated vs1_file_t/sbin/init is of type. The container administrator why do I need to do this? "because it will start in unconfined_t domain container, including sshdaemon, enable him to access privileged shell, and the ability to bypass our SELinux restrictions to be implemented. To avoid this, you need to actually start using custom scripts, and launch the container the container before the sbin/init relabeled as vs1_exec_t. In fact, if the container administrators don't mind, can be an original copy of the replicated back to init the container and Relabel it. But we just Relabel existing init: cat > >/vs1/vs1.sh
No comments:
Post a Comment