| Server IP : 127.0.0.2 / Your IP : 3.16.10.2 Web Server : Apache/2.4.18 (Ubuntu) System : User : www-data ( ) PHP Version : 7.0.33-0ubuntu0.16.04.16 Disable Function : disk_free_space,disk_total_space,diskfreespace,dl,exec,fpaththru,getmyuid,getmypid,highlight_file,ignore_user_abord,leak,listen,link,opcache_get_configuration,opcache_get_status,passthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,php_uname,phpinfo,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,pclose,popen,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,shell_exec,source,show_source,system,virtual MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/share/lxc/selinux/ |
Upload File : |
#
# SELinux policy for LXC for RHEL/CentOS/Oracle 6.5.
# It attempts to restrict the container to the same amount of access
# as an unprivileged user. To build and insert this policy module:
#
# make -f /usr/share/selinux/devel/Makefile lxc.pp
# semodule -i lxc.pp
#
# In your container's lxc config:
# lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
#
# Ensure your container's rootfs files are labeled:
# chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs
#
# To keep containers separated from each other, you should vary the MCS
# portion of the contexts above to be a unique set of values for each
# container, each MCS compartment can be a number from 0-1023.
#
policy_module(lxc,0.35)
userdom_unpriv_user_template(lxc)
type lxc_file_t;
files_type(lxc_file_t);
role system_r types { lxc_t lxc_file_t };
gen_require(`
type devpts_t;
type proc_t;
type ssh_port_t;
type sysctl_kernel_t;
type sysctl_modprobe_t;
type sysctl_net_t;
type tmpfs_t;
type unconfined_t;
class filesystem { relabelfrom unmount };
class tcp_socket name_bind;
class udp_socket name_bind;
');
# So lxc can transition to lxc_t on exec
allow unconfined_t lxc_t:process transition;
can_exec(lxc_t, lxc_file_t)
# So lxc can dyntransition to lxc_t for attach executing a function
allow unconfined_t lxc_t:process dyntransition;
# So lxc-start can relabel the pty allocated for the console
allow lxc_file_t devpts_t:filesystem associate;
# So container can mount /dev/shm and relabel it
allow lxc_t tmpfs_t:filesystem relabelfrom;
# Allow all access to an lxc_file_t type; devices can be restricted
# with the device cgroup, they are not here
allow lxc_t lxc_file_t:file *;
allow lxc_t lxc_file_t:lnk_file *;
allow lxc_t lxc_file_t:chr_file *;
allow lxc_t lxc_file_t:blk_file *;
allow lxc_t lxc_file_t:sock_file *;
allow lxc_t lxc_file_t:fifo_file *;
allow lxc_t lxc_file_t:socket *;
allow lxc_t lxc_file_t:dir *;
allow lxc_t lxc_file_t:filesystem unmount;
fs_unmount_all_fs(lxc_t)
allow lxc_t proc_t:dir mounton;
allow lxc_t proc_t:filesystem mount;
allow lxc_t tmpfs_t:filesystem mount;
allow lxc_t self:capability { dac_override dac_read_search fsetid ipc_lock net_admin net_bind_service net_broadcast net_raw sys_admin sys_boot sys_tty_config };
allow lxc_t sysctl_net_t:file write;
allow lxc_t ssh_port_t:tcp_socket name_bind;
corenet_tcp_connect_all_ports(lxc_t)
corenet_tcp_bind_all_ports(lxc_t)
corenet_udp_bind_all_ports(lxc_t)
# Needed for ifup/ip/dhcp
allow lxc_t self:packet_socket create_socket_perms;
allow lxc_t self:rawip_socket create_socket_perms;
allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
dontaudit lxc_t sysctl_kernel_t:file write;
dontaudit lxc_t sysctl_modprobe_t:file write;