Marcus Heese

Authored Comments

This is an awesome article and finally shows in practice how to extend on the default Docker SELinux policy.

I used this today to build an image for Chrony / NTP, and I had to find out that the mentioned "--add-cap SYS_TIME" is unfortunately not enough when SELinux is enabled as I could clearly see an AVC message telling me that this capability is denied.

However, together with this guide and this one here: http://developerblog.redhat.com/2015/04/21/introducing-the-atomic-comma… I was able to package an image which gets its SELinux policy module installed during an "atomic install" run.

In general I think that together with Docker and these relatively easy enhancements on SELinux modules, it has become more easy to use and customize SELinux. It is really not as evil as people normally say it is :)