On Mon, 25.04.11 20:51, microcai (micro...@fedoraproject.org) wrote:
于 2011年04月25日 20:43, Daniel J Walsh 写道:
SELinux would be a good start.
No, root inside can still change SE-Linux policy.
No. The SELinux policy can forbid reloading the SELinux policy for
certain users/processes.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/26/2011 01:54 PM, Lennart Poettering wrote:
On Mon, 25.04.11 20:51, microcai (micro...@fedoraproject.org) wrote:
于 2011年04月25日 20:43, Daniel J Walsh 写道:
SELinux would be a good start.
No, root inside can still change SE-Linux policy.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/22/2011 07:42 PM, Josh Triplett wrote:
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says Note that even though these security
precautions are taken systemd-nspawn is not suitable for secure
于 2011年04月25日 20:43, Daniel J Walsh 写道:
SELinux would be a good start.
No, root inside can still change SE-Linux policy.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
On Fri, 22.04.11 19:55, Josh Triplett (j...@joshtriplett.org) wrote:
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says Note that even though these security
precautions are taken systemd-nspawn is not suitable for secure
container setups. Many
On Fri, 22.04.11 21:16, Josh Triplett (j...@joshtriplett.org) wrote:
On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote:
于 2011年04月23日 10:55, Josh Triplett 写道:
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says Note that even though
On Sat, 23.04.11 13:29, microcai (micro...@fedoraproject.org) wrote:
Ah, good point. So, root inside the container can trivially circumvent
the container that way. Any way to prevent that with current kernel
support, or would fixing this require additional kernel changes to lock
down
]] Lennart Poettering
[...]
| (Consider the container blocking all ports 6000 thus making it
| impossible to run X on the host). But this one is actually not a big
| issue in the end I guess, so let's ignore it here.
X doesn't listen on tcp by default those days, so this shouldn't be a
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says Note that even though these security
precautions are taken systemd-nspawn is not suitable for secure
container setups. Many of the security features may be circumvented and
are hence primarily
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says Note that even though these security
precautions are taken systemd-nspawn is not suitable for secure
container setups. Many of the security features may be circumvented and
are hence primarily
On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote:
于 2011年04月23日 10:55, Josh Triplett 写道:
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says Note that even though these security
precautions are taken systemd-nspawn is not suitable for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
于 2011年04月23日 12:16, Josh Triplett 写道:
On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote:
于 2011年04月23日 10:55, Josh Triplett 写道:
The systemd-nspawn manpage lists the various mechanisms used to isolate
the container, and then says Note that
12 matches
Mail list logo