[CRIU] SELinux label on criu socket
Radostin Stoyanov
rstoyanov1 at gmail.com
Mon Feb 18 13:19:22 MSK 2019
On 15/02/2019 17:38, Adrian Reber wrote:
> Using Podman with SELinux I have following problem:
>
> https://github.com/containers/libpod/issues/2334
>
> The process in the container tries to connect to the CRIU socket which
> is denied by the SELinux policy.
>
> Is there a way I can create the socket in runc or Podman and then tell
> CRIU to use that socket? That way I could give the socket the correct
> SELinux label.
>
> Would that be possible?
I think that this could be done by modifying parasite_init_daemon() in
compel/plugins/std/infect.c and allow CRIU to reuse a socket created by
runc or Podman.
However, it would be better to teach CRIU how to set a SELinux label on
that socket. We already have the --lsm-profile option which could be
added to RPC to allow runc or Podman to specify a label.
> Adrian
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
More information about the CRIU
mailing list