update docs
Signed-off-by: Victor Vieux <vieux@docker.com>
This commit is contained in:
Victor Vieux
parent
c2c5e57a8e
commit
226bc669aa
|
|
@ -393,8 +393,8 @@ changes will also be reflected on the host in /var/db.
|
||||||
|
|
||||||
## Using alternative security labeling
|
## Using alternative security labeling
|
||||||
|
|
||||||
If you want to use the same label for multiple containers you can override use
|
If you want to use the same label for multiple containers, you can override use
|
||||||
the security-opt flag to select an MCS level. This is a common practive for MLS
|
the security-opt flag to select an MCS level. This is a common practice for MLS
|
||||||
systems. But it also might help in cases where you want to share the same
|
systems. But it also might help in cases where you want to share the same
|
||||||
content between containers. Run the following command.
|
content between containers. Run the following command.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -231,23 +231,23 @@ the container exits**, you can add the `--rm` flag:
|
||||||
--security-opt="label:type:TYPE" : Set the label type for the container
|
--security-opt="label:type:TYPE" : Set the label type for the container
|
||||||
--security-opt="label:level:LEVEL" : Set the label level for the container
|
--security-opt="label:level:LEVEL" : Set the label level for the container
|
||||||
--security-opt="label:disable" : Turn off label confinement for the container
|
--security-opt="label:disable" : Turn off label confinement for the container
|
||||||
|
--secutity-opt="apparmor:PROFILE" : Set the apparmor profile to be applied
|
||||||
|
to the container
|
||||||
|
|
||||||
If you want to use the same label for multiple containers you can override use
|
If you want to use the same label for multiple containers, you can override use
|
||||||
the security-opt flag to select an MCS level. This is a common practive for MLS
|
the security-opt flag to select an MCS level. This is a common practice for MLS
|
||||||
systems. But it also might help in cases where you want to share the same
|
systems. But it also might help in cases where you want to share the same
|
||||||
content between containers. Run the following command.
|
content between containers. Run the following command.
|
||||||
|
|
||||||
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
|
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
|
||||||
|
|
||||||
Run the follwing command if you want to disable the labeling controls for just
|
Run the following command if you want to disable the labeling controls for just
|
||||||
this container.
|
this container.
|
||||||
|
|
||||||
# docker run --security-opt label:disable -i -t fedora bash
|
# docker run --security-opt label:disable -i -t fedora bash
|
||||||
|
|
||||||
If you decide you would like to work with a tighter policy on your container.
|
Run the following command if you want to run a container that could only listen
|
||||||
For example if you want to run a container that could only listen on apache
|
on apache ports.
|
||||||
ports, and not connect to the network. You could select an alternate type to
|
|
||||||
run the container execute the following command.
|
|
||||||
|
|
||||||
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash
|
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue