1container_selinux(8)       SELinux Policy container       container_selinux(8)
2
3
4

NAME

6       container_selinux  -  Security  Enhanced Linux Policy for the container
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the container  processes  via  flexible
11       mandatory access control.
12
13       The  container processes execute with the container_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep container_t
20
21
22

PROCESS TYPES

24       SELinux defines process types (domains) for each process running on the
25       system
26
27       You can see the context of a process using the -Z option to ps
28
29       Policy governs the access confined processes have  to  files.   SELinux
30       container  policy  is  very flexible allowing users to setup their con‐
31       tainer processes in as secure a method as possible.
32
33       The following process types are defined for container:
34
35       container_t
36
37       Note: semanage permissive -a  container_t  can  be  used  to  make  the
38       process  type  container_t  permissive. SELinux does not deny access to
39       permissive process types, but the AVC (SELinux  denials)  messages  are
40       still generated.
41
42

MCS Constrained

44       The  SELinux  process  type container_t is an MCS (Multi Category Secu‐
45       rity) constrained type.  Sometimes this separation is  referred  to  as
46       sVirt.  These types are usually used for securing multi-tenant environ‐
47       ments, such as virtualization, containers or separation of users.   The
48       tools used to launch MCS types, pick out a different MCS label for each
49       process group.
50
51       For example one process might be  launched  with  container_t:s0:c1,c2,
52       and  another  process  launched  with container_t:s0:c3,c4. The SELinux
53       kernel only allows these processes can only write  to  content  with  a
54       matching  MCS  label,  or a MCS Label of s0. A process running with the
55       MCS level of s0:c1,c2 is not allowed to write to content with  the  MCS
56       label of s0:c3,c4
57
58

BOOLEANS

60       SELinux  policy  is  customizable based on least access required.  con‐
61       tainer policy is extremely flexible and has several booleans that allow
62       you to manipulate the policy and run container with the tightest access
63       possible.
64
65
66
67       If you want to deny any process from ptracing or  debugging  any  other
68       processes,  you  must  turn  on the deny_ptrace boolean. Enabled by de‐
69       fault.
70
71       setsebool -P deny_ptrace 1
72
73
74

MANAGED FILES

76       The SELinux process type container_t can manage files labeled with  the
77       following file types.  The paths listed are the default paths for these
78       file types.  Note the processes UID still need to have DAC permissions.
79
80       container_file_t
81
82            /var/lib/rkt/cas(/.*)?
83
84       fs_t
85
86
87       fusefs_t
88
89            /var/run/user/[0-9]+/gvfs
90
91       hugetlbfs_t
92
93            /dev/hugepages
94            /usr/lib/udev/devices/hugepages
95
96       onload_fs_t
97
98
99

FILE CONTEXTS

101       SELinux requires files to have an extended attribute to define the file
102       type.
103
104       You can see the context of a file using the -Z option to ls
105
106       Policy  governs  the  access  confined  processes  have to these files.
107       SELinux container policy is very flexible allowing users to setup their
108       container processes in as secure a method as possible.
109
110       STANDARD FILE CONTEXT
111
112       SELinux defines the file context types for the container, if you wanted
113       to store files with these types in a diffent paths, you need to execute
114       the  semanage  command  to  specify alternate labeling and then use re‐
115       storecon to put the labels on disk.
116
117       semanage  fcontext  -a  -t  container_ro_file_t  '/srv/mycontainer_con‐
118       tent(/.*)?'
119       restorecon -R -v /srv/mycontainer_content
120
121       Note:  SELinux  often  uses  regular expressions to specify labels that
122       match multiple files.
123
124       The following file types are defined for container:
125
126
127
128       container_file_t
129
130       - Set files with the container_file_t type, if you want  to  treat  the
131       files as container content.
132
133
134
135       container_ro_file_t
136
137       - Set files with the container_ro_file_t type, if you want to treat the
138       files as container ro content.
139
140
141
142       Note: File context can be temporarily modified with the chcon  command.
143       If  you want to permanently change the file context you need to use the
144       semanage fcontext command.  This will modify the SELinux labeling data‐
145       base.  You will need to use restorecon to apply the labels.
146
147

COMMANDS

149       semanage  fcontext  can also be used to manipulate default file context
150       mappings.
151
152       semanage permissive can also be used to manipulate  whether  or  not  a
153       process type is permissive.
154
155       semanage  module can also be used to enable/disable/install/remove pol‐
156       icy modules.
157
158       semanage boolean can also be used to manipulate the booleans
159
160
161       system-config-selinux is a GUI tool available to customize SELinux pol‐
162       icy settings.
163
164

AUTHOR

166       This manual page was auto-generated using sepolicy manpage .
167
168

SEE ALSO

170       selinux(8),  container(8), semanage(8), restorecon(8), chcon(1), sepol‐
171       icy(8), setsebool(8)
172
173
174
175container                          23-02-03               container_selinux(8)
Impressum