container_t versus svirt_lxc_net_t
For some reason recently I have been asked via email and twitter about what the difference is between the container_t type and the svirt_lxc_net_t type. Or similarly between container_file_t and svirt_sandbox_file_t. Bottom line, NOTHING. They are aliases of each other.
In SELinux policy language they have a typealias command.
typealias container_t alias svirt_lxc_net_t;
typealias container_file_t alias svirt_sandbox_file_t;
When I first started working on containers and SELinux prior to Docker, we were writing a tool called virt-sandbox that used libvirt to launch containers, specifically it used libvirt-lxc. We had labeled all of the VMs launched by libvirt, svirt_t. This stood for secure virt. When I decided to write policy for the libvirt_lxc containers, I created a type called svirt_lxc_t. This type was not allowed to do network access, so I added another type called svirt_lxc_net_t that had full network access. The type for content that he svirt_lxc types could manage as svirt_sandbox_file_t. (svirt_file_t was already used for virtual machine images.) Why I did not call it svirt_lxc_file_t, I don't know.
( Collapse )