# SELinux policy for LXC for RHEL/CentOS/Oracle 6.5.
# It attempts to restrict the container to the same amount of access
# as an unprivileged user. To build and insert this policy module:
# make -f /usr/share/selinux/devel/Makefile lxc.pp
# In your container's lxc config:
# lxc.selinux.context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
# Ensure your container's rootfs files are labeled:
# chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs
# To keep containers separated from each other, you should vary the MCS
# portion of the contexts above to be a unique set of values for each
# container, each MCS compartment can be a number from 0-1023.
userdom_unpriv_user_template(lxc)
role system_r types { lxc_t lxc_file_t };
class filesystem { relabelfrom unmount };
class tcp_socket name_bind;
class udp_socket name_bind;
# So lxc can transition to lxc_t on exec
allow unconfined_t lxc_t:process transition;