-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/07/2014 08:22 AM, Michael Scherer wrote: > Le jeudi 06 février 2014 à 12:21 -0800, David Timothy Strauss a écrit : >> In order to maximize consistency with newly committed options in >> systemd-nspawn, would it make sense to allow independent configuration of >> the process and file labels instead? > > > The file label are decided by selinux policy based on the path and/or > process domain, from what I seen. > > In the case of systemd-nspawn, it is done by using a specific option of > mount, and only for tmpfs/devpts. > > So I am not sure if this can be done, and i fail to see a usecase for that > ( except having container described in .service, which could be nice but > maybe too much ) > Yes the goal with the file system labels is for tmpfs file systems created/mounted within the systemd-nspawn.
If you are using a chrooted OS, then its labeling should be done outside the command. I wanted to also allow this to be generic so other labeling tools like SMACK could also be used. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL6Q8AACgkQrlYvE4MpobNf8ACcC+B/5yvbOnOPiRoDQYiokGT+ xe0AmwR7qdFnJ/aqzTMfL0lcPYCUGYs2 =Pk3g -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
