git.ipfire.org Git - thirdparty/lxc.git/commit

author	Dwight Engen <dwight.engen@oracle.com>
	Thu, 24 Jul 2014 21:25:46 +0000 (17:25 -0400)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Thu, 31 Jul 2014 18:12:25 +0000 (14:12 -0400)
commit	719fae07bf641ad6ed80b12c52f60b68d734f611
tree	fd4e438f79d36c5d67d80cc177a0c6fea66f20e0	tree
parent	ab799c0ba931bde0f4586fb2a61854610a0daf0d	commit \| diff

provide an example SELinux policy for older releases

The virtd_lxc_t type provided by the default RHEL/CentOS/Oracle 6.5
policy is an unconfined_domain(), so it doesn't really enforce anything.
This change will provide a link in the documentation to an example
policy that does confine containers.

On more recent distributions with new enough policy, it is recommended
not to use this sample policy, but to use the types already available
on the system from /etc/selinux/targeted/contexts/lxc_contexts, ie:

process = "system_u:system_r:svirt_lxc_net_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

config/Makefile.am		diff \| blob \| blame \| history
config/selinux/Makefile.am	[new file with mode: 0644]	blob
config/selinux/lxc.if	[new file with mode: 0644]	blob
config/selinux/lxc.te	[new file with mode: 0644]	blob
configure.ac		diff \| blob \| blame \| history
doc/lxc.container.conf.sgml.in		diff \| blob \| blame \| history