opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-03 12:17:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
podman/docs/source/markdown/options/security-opt.md
Daniel J Walsh ad8a96ab95 Support running nested SELinux container separation 
Currently Podman prevents SELinux container separation,
when running within a container. This PR adds a new
--security-opt label=nested

When setting this option, Podman unmasks and mountsi
/sys/fs/selinux into the containers making /sys/fs/selinux
fully exposed. Secondly Podman sets the attribute
run.oci.mount_context_type=rootcontext

This attribute tells crun to mount volumes with rootcontext=MOUNTLABEL
as opposed to context=MOUNTLABEL.

With these two settings Podman inside the container is allowed to set
its own SELinux labels on tmpfs file systems mounted into its parents
container, while still being confined by SELinux. Thus you can have
nested SELinux labeling inside of a container.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-03-13 14:21:12 -04:00

2.7 KiB
Raw Blame History

####> This option file is used in: ####> podman create, pod clone, pod create, run ####> If file is edited, make sure the changes ####> are applicable to all of those.

--security-opt=option

Security Options

  • apparmor=unconfined : Turn off apparmor confinement for the <<container|pod>>

  • apparmor=alternate-profile : Set the apparmor confinement profile for the <<container|pod>>

  • label=user:USER: Set the label user for the <<container|pod>> processes

  • label=role:ROLE: Set the label role for the <<container|pod>> processes

  • label=type:TYPE: Set the label process type for the <<container|pod>> processes

  • label=level:LEVEL: Set the label level for the <<container|pod>> processes

  • label=filetype:TYPE: Set the label file type for the <<container|pod>> files

  • label=disable: Turn off label separation for the <<container|pod>>

Note: Labeling can be disabled for all <<|pods/>>containers by setting label=false in the containers.conf (/etc/containers/containers.conf or $HOME/.config/containers/containers.conf) file.

  • label=nested: Allows SELinux modifications within the container. Containers are allowed to modify SELinux labels on files and processes, as long as SELinux policy allows. Without nested, containers view SELinux as disabled, even when it is enabled on the host. Containers are prevented from setting any labels.

  • mask=/path/1:/path/2: The paths to mask separated by a colon. A masked path cannot be accessed inside the container<<s within the pod|>>.

  • no-new-privileges: Disable container processes from gaining additional privileges.

  • seccomp=unconfined: Turn off seccomp confinement for the <<container|pod>>.

  • seccomp=profile.json: JSON file to be used as a seccomp filter. Note that the io.podman.annotations.seccomp annotation is set with the specified value as shown in podman inspect.

  • proc-opts=OPTIONS : Comma-separated list of options to use for the /proc mount. More details for the possible mount options are specified in the proc(5) man page.

  • unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to ALL, it will unmask all the paths that are masked or made read-only by default. The default masked paths are /proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux. The default paths that are read-only are /proc/asound, /proc/bus, /proc/fs, /proc/irq, /proc/sys, /proc/sysrq-trigger, /sys/fs/cgroup.

Note: Labeling can be disabled for all containers by setting label=false in the containers.conf(5) file.