opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 03:19:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17729 from rhatdan/selinux

Browse Source 
Support running nested SELinux container separation
This commit is contained in:
OpenShift Merge Robot
2023-03-15 12:07:03 -04:00
committed by GitHub
parent 41caa57df4 ad8a96ab95
commit 2718f54a29
12 changed files with 130 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/source/markdown/options/security-opt.md
View File

@ -18,6 +18,8 @@ Security Options
Note: Labeling can be disabled for all <<|pods/>>containers by setting label=false in the **containers.conf** (`/etc/containers/containers.conf` or `$HOME/.config/containers/containers.conf`) file.
- **label=nested**: Allows SELinux modifications within the container. Containers are allowed to modify SELinux labels on files and processes, as long as SELinux policy allows. Without **nested**, containers view SELinux as disabled, even when it is enabled on the host. Containers are prevented from setting any labels.
- **mask**=_/path/1:/path/2_: The paths to mask separated by a colon. A masked path cannot be accessed inside the container<<s within the pod|>>.
- **no-new-privileges**: Disable container processes from gaining additional privileges.