On Mon, Jan 16, 2017 at 7:59 PM, <sf...@users.sourceforge.net> wrote: > > Arun Chandran: >> No with 'sudo mount ..' the .wh.* files are created with label of the >> user test not with the label of root. >> [This is because objects gets label of the process; label of user test >> is "k1"; sudo is not changing label] > > I see. > It may be a very basic building block of security label NOT to use the > effective uid. > > Back in our simple tests, > > cd layer1/ >> .wh..wh.aufs > ln .wh..wh.aufs .wh.0.txt > > - by a normal user, .wh..wh.aufs will have access="k1". > - sudo by a normal user, it will be access="k1" too. > - by a plain superuser, it will be access="_". > right? > Yes. Correct.
> And "sudo mount" sets access="k1" to .wh..wh.aufs. > Good. It must be the way to go, isn't it? "sudo mount .." gives correct labels. I can't use it because the containers don't get sudo inside ; container might be running with the lowest possible privileges. I will be doing(as root). 1) Takes the request to load the docker app 2) Label the all the layers in the app(files) with a smack label "kN" 3) All the layers are aufs mounted 4) Perform a label change of the .wh.* files from "_" to "kN" 5) Change the ownership of the .wh.* files from root to container UID 6) start the container --Arun ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
