Add SELinux support to systemd-nspawn

This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
author: Dan Walsh <dwalsh@redhat.com> 2014-01-30 16:28:02 -0500
committer: David Strauss <david@davidstrauss.net> 2014-02-04 13:33:15 -0800
commit: a8828ed93878b4b4866d40ebfb660e54995ff72e (patch)
tree: 069b43684335a229432b2fa1f7666d8e62e3e715 /man
parent: 483798e0770c65968bbe2b668ece293b2419f2ec (diff)
1 files changed, 29 insertions, 0 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index bec233c1c..08b0457d1 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -249,6 +249,27 @@
                         </varlistentry>
 
                         <varlistentry>
+                                <term><option>-L</option></term>
+                                <term><option>--file-label=</option></term>
+
+                                <listitem><para>Sets the mandatory
+                                access control (MAC) file label to be
+                                used by tmpfs file systems in the
+                                container.</para>
+                                </listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>-Z</option></term>
+                                <term><option>--process-label=</option></term>
+
+                                <listitem><para>Sets the mandatory
+                                access control (MAC) label to be used by
+                                processes in the container.</para>
+                                </listitem>
+                        </varlistentry>
+
+                        <varlistentry>
                                 <term><option>--uuid=</option></term>
 
                                 <listitem><para>Set the specified UUID
@@ -456,6 +477,14 @@
                 btrfs snapshot.</para>
         </refsect1>
 
+        <refsect1>
+                <title>Example 6</title>
+
+                <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
+# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
+
+                <para>This runs a container with SELinux sandbox labels.</para>
+        </refsect1>
 
         <refsect1>
                 <title>Exit status</title>
author	Dan Walsh <dwalsh@redhat.com>	2014-01-30 16:28:02 -0500
committer	David Strauss <david@davidstrauss.net>	2014-02-04 13:33:15 -0800
commit	a8828ed93878b4b4866d40ebfb660e54995ff72e (patch)
tree	069b43684335a229432b2fa1f7666d8e62e3e715 /man
parent	483798e0770c65968bbe2b668ece293b2419f2ec (diff)