[PATCH v4 00/23] LSM: Module stacking for AppArmor
John Johansen
john.johansen at canonical.com
Thu Jun 27 23:44:55 UTC 2019
On 6/27/19 4:16 PM, James Morris wrote:
> On Thu, 27 Jun 2019, John Johansen wrote:
>
>> I have more test combinations churning but figure I could report what I have so far
>
> Do you have any way to test the nested scenario of say an AppArmor host
> with SELinux running in containers?
>
No, an selinux container doesn't really work atm. The issue is to do with
namespacing. I can boot an AppArmor host with selinux enabled, but the
container loading selinux policy gets interesting, and without namespacing
the container policy affects the host.
It is of course possible to label the system such that you can sort of
make it work, but it isn't really practical.
I have played with the selinuxns branch trying to get this to work, but
I ran into some issues I couldn't resolve. However it has been five
months since I tried that so I can look at it again.
The AppArmor container on an selinux host case is easier partly because of
how policy is applied, partly because namespacing of its policy is already
supported upstream, and partly because I just know it better.
I do have plans to test the apparmor container on selinux but I haven't
gotten that far and am planning on waiting for this one until Casey kicks
out v5.
More information about the Linux-security-module-archive
mailing list