git.ipfire.org Git - thirdparty/lxc.git/commit

author	Maximilian Blenk <Maximilian.Blenk@bmw.de>
	Wed, 29 Jan 2020 16:09:50 +0000 (17:09 +0100)
committer	Maximilian Blenk <Maximilian.Blenk@bmw.de>
	Fri, 31 Jan 2020 13:33:01 +0000 (14:33 +0100)
commit	4fef78bc332a2d186dca6f1c29952a0ec5423217
tree	b9d34821e1296569f313053e0361f2c4fd74a080	tree
parent	f5a15e1e3d92d9c954fe80e5ae931f3685027d38	commit \| diff

container.conf: Add option to set keyring SELinux context

lxc set's up a new session keyring for every container by default.
If executed on an SELinux enabled system, by default, the keyring
inherits the label of the creating process. If executed with the
currently available SELinux policy, this means that the keyring
is labeled with the lxc_t type. Applications inside the container,
however, might expect that the keyring is labeled with a certain
context (and will fail to access the keyring if it's not explicitly
allowed in the global policy). This patch introduces the config
option lxc.selinux.context.keyring which enables to specify the
label of the newly created keyring. That is, the keyring can be
labeled with the label expected by the started application.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

config/selinux/lxc.te		diff \| blob \| blame \| history
src/lxc/conf.c		diff \| blob \| blame \| history
src/lxc/conf.h		diff \| blob \| blame \| history
src/lxc/confile.c		diff \| blob \| blame \| history
src/lxc/lsm/lsm.c		diff \| blob \| blame \| history
src/lxc/lsm/lsm.h		diff \| blob \| blame \| history
src/lxc/lsm/selinux.c		diff \| blob \| blame \| history
src/lxc/utils.c		diff \| blob \| blame \| history
src/lxc/utils.h		diff \| blob \| blame \| history