On Mon, 25.04.11 20:51, microcai (micro...@fedoraproject.org) wrote: > 于 2011年04月25日 20:43, Daniel J Walsh 写道: > > SELinux would be a good start. > > No, root inside can still change SE-Linux policy.
No. The SELinux policy can forbid reloading the SELinux policy for certain users/processes. SELinux should work fine to secure nspawn containers. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel