Hi Olivier On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote: > Furthermore system has SMACK enabled - Simplified Mandatory Access > Control - a label based MAC. > Each LXC container has its files and processes labeled differently - > Labels which can't write the host system default label, so basically a > root in a container can't make anything harmfull on the host system. > Same can be achieved _less easily_ with Selinux - Look at IBM papers.
Would you mind sharing your SMACK setup? Also, do you know how this applies to bind-mounted directories? Can I label a container's files when they are read-only bind-mounted from the host? Thanks, Andre ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
