-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/26/2011 01:54 PM, Lennart Poettering wrote:
> On Mon, 25.04.11 20:51, microcai (micro...@fedoraproject.org) wrote:
>
>> 于 2011年04月25日 20:43, Daniel J Walsh 写道:
>>> SELinux would be a good start.
>>
>> No, root inside can still change SE-Linux p
On Mon, 25.04.11 20:51, microcai (micro...@fedoraproject.org) wrote:
> 于 2011年04月25日 20:43, Daniel J Walsh 写道:
> > SELinux would be a good start.
>
> No, root inside can still change SE-Linux policy.
No. The SELinux policy can forbid reloading the SELinux policy for
certain users/processes.
SE
于 2011年04月25日 20:43, Daniel J Walsh 写道:
> SELinux would be a good start.
No, root inside can still change SE-Linux policy.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/22/2011 07:42 PM, Josh Triplett wrote:
> The systemd-nspawn manpage lists the various mechanisms used to isolate
> the container, and then says "Note that even though these security
> precautions are taken systemd-nspawn is not suitable for secur
]] Lennart Poettering
[...]
| (Consider the container blocking all ports > 6000 thus making it
| impossible to run X on the host). But this one is actually not a big
| issue in the end I guess, so let's ignore it here.
X doesn't listen on tcp by default those days, so this shouldn't be a
proble
On Sat, 23.04.11 13:29, microcai (micro...@fedoraproject.org) wrote:
> > Ah, good point. So, root inside the container can trivially circumvent
> > the container that way. Any way to prevent that with current kernel
> > support, or would fixing this require additional kernel changes to lock
> >
On Fri, 22.04.11 21:16, Josh Triplett (j...@joshtriplett.org) wrote:
> On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote:
> > 于 2011年04月23日 10:55, Josh Triplett 写道:
> > > The systemd-nspawn manpage lists the various mechanisms used to isolate
> > > the container, and then says "Note that ev
On Fri, 22.04.11 19:55, Josh Triplett (j...@joshtriplett.org) wrote:
> The systemd-nspawn manpage lists the various mechanisms used to isolate
> the container, and then says "Note that even though these security
> precautions are taken systemd-nspawn is not suitable for secure
> container setups.
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says "Note that even though these security
precautions are taken systemd-nspawn is not suitable for secure
container setups. Many of the security features may be circumvented and
are hence primarily usef
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
于 2011年04月23日 12:16, Josh Triplett 写道:
> On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote:
>> 于 2011年04月23日 10:55, Josh Triplett 写道:
>>> The systemd-nspawn manpage lists the various mechanisms used to isolate
>>> the container, and then says "N
On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote:
> 于 2011年04月23日 10:55, Josh Triplett 写道:
> > The systemd-nspawn manpage lists the various mechanisms used to isolate
> > the container, and then says "Note that even though these security
> > precautions are taken systemd-nspawn is not suita
于 2011年04月23日 10:55, Josh Triplett 写道:
> The systemd-nspawn manpage lists the various mechanisms used to isolate
> the container, and then says "Note that even though these security
> precautions are taken systemd-nspawn is not suitable for secure
> container setups. Many of the security features m
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says "Note that even though these security
precautions are taken systemd-nspawn is not suitable for secure
container setups. Many of the security features may be circumvented and
are hence primarily usef
13 matches
Mail list logo