Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's a virtual machine, so its SELinux support should be separate from what the host is doing


SELinux on a host should restrict KVM (and X/Wayland, and the sound server,).

SELinux in a guest [VM or container] should restrict processes in the guest from interfering with other processes and resources in the guest.

IMHO, Nested UIDs like uid1.subuid1.subuid2 would be better for rootless containers than root-writeable /etc/subuids.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: