Daniel J Walsh
Daniel J Walsh
So you are running runc directly as a service in a systemd unit file? Or are you running this under docker? Either way it should not be running as unconfined_service_t,...
There is a bit of a rewrite of the API going on in psgo, should we wait for this rewrite to be done first?
@vbatts @mrunalp @AkihiroSuda @cyphar @crosbymichael Can we get this done?
You can not use SELinux and Overlay at this time. Well I guess you could label everything under /var/lib/rkt/pods as system_u:object_r:svirt_sandbox_file_t:s0 and it might work better. Not sure how you...
This looks like this content "systemd dir" and "tty chr_file" are being created by the user process on /tmp and then somehow being used within the container. I guess rkt...
This looks like you don't have the rkt patch that relabels the content under /var/lib/rkt/pods/run correctly.
Yes, we are working daily on the Kernel to fix the OverlayFS v SELinux issues. Currently doing it privately (With Stephen Smalley NSA), since do not want to deal with...
It is still ongoing. This is a fairly complex issue, and getting the security right is critical important. Met with the kernel engineer this morning and we have a working...
Yes, it currently looks like this will land in 4.9 kernel.
SELinux and Overlayfs are currently working in the Fedora Rawhide Kernel and Fedora 25.