On Wed, Oct 15, 2014, at 06:24 AM, Alexander Larsson wrote: > > We have similar issues with selinux and docker actually. For the docker > devmapper backend we're using a single unique COW dm device for each > container, so we can mount that with a selinux context and everything is > fine. This doesn't work for the btrfs and overlayfs backends though. For > the btrfs backend we're looking at changing btrfs itself to allow > subvolume mount contexts, but that wouldn't neccessarily work for us > anyway, as we're not using a unique subvolume per running app instance.
Offhand, I think this only matters if the container files are mutable. In a model where containers are read-only (and your data in /var and /etc is mounted to permanent storage elsewhere with distinct labeling), then you just need unique labeling for those. Your /usr can just be the same as the host's usr_t. Docker's model is really oriented towards mutable containers, so it's hard to do there. _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
