[prev in list] [next in list] [prev in thread] [next in thread]
List: openvz-criu
Subject: Re: [CRIU] SELinux label on criu socket
From: Adrian Reber <adrian () lisas ! de>
Date: 2019-02-18 11:09:03
Message-ID: 20190218110903.GA22549 () lisas ! de
[Download RAW message or body]
On Mon, Feb 18, 2019 at 10:19:22AM +0000, Radostin Stoyanov wrote:
> On 15/02/2019 17:38, Adrian Reber wrote:
> > Using Podman with SELinux I have following problem:
> >
> > https://github.com/containers/libpod/issues/2334
> >
> > The process in the container tries to connect to the CRIU socket which
> > is denied by the SELinux policy.
> >
> > Is there a way I can create the socket in runc or Podman and then tell
> > CRIU to use that socket? That way I could give the socket the correct
> > SELinux label.
> >
> > Would that be possible?
> I think that this could be done by modifying parasite_init_daemon() in
> compel/plugins/std/infect.c and allow CRIU to reuse a socket created by
> runc or Podman.
>
> However, it would be better to teach CRIU how to set a SELinux label on
> that socket. We already have the --lsm-profile option which could be
> added to RPC to allow runc or Podman to specify a label.
This second option is also my favourite. Which means I would also
finally fix setting correct SELinux labels on the restored processes.
This means, however, that we would need to link compel against
libselinux. Not sure if that is problematic or not...
Adrian
_______________________________________________
CRIU mailing list
CRIU@openvz.org
https://lists.openvz.org/mailman/listinfo/criu
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic