We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Using SELinux with container runtimes

Formal Metadata

Title
Using SELinux with container runtimes
Subtitle
Because privileged containers are scary
Title of Series
Number of Parts
490
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Lukas Vrabec built a new standalone tool, udica, for generating SELinux policy profiles for containers based on automatic inspecting these containers. We will focus on why udica is needed in the container world and how it can make SELinux and containers work better together. We will show real examples where SELinux separation for containers had to be turned off because the generic SELinux type container_t was too tight. With a tool like “udica”, users and developers can easily customize the policy with limited SELnux policy writing skills. Come to see how easy also you can create custom SELinux policy for your containers! This talk will explain how SELinux works with containers. We will show how to enable/disable SElinux using multiple different container runtimes and define the default types. One issue with these types is that they are tough to customize. The two default types for running containers are containert which is a fully confined domain, which eliminates any use of the host files unless they are relabeled. Or spct, which is the type containers run with when SELinux is disabled for container separation, --privileged mode. As an example, If you had a container that you wanted to be able to gather the logs from /var/log on the host and send them to a centralized server, you have to disable SELinux separation. Writing custom policy for each container that needed additional access would be very difficult and require a container policy writer.