[LSM Stacking] SELinux policy inside container affects a process on Host
Paul Moore
paul at paul-moore.com
Thu Jul 6 13:43:01 UTC 2023
On Thu, Jul 6, 2023 at 1:20 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:
>
> Hello! Here is another weird behavior of lsm stacking..
>
> test env
> - Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
> - boot param: lsm=apparmor,selinux
> - AppArmor (Host) + SELinux (LXD Container Fedora 36)
>
> In the test environment mentioned above and applying selinux policy
> enforcing by running "setenforce 1" within the container, executing the
> following command on the host will result in "Permission denied" output.
SELinux operates independently of containers, or kernel namespacing in
general. When you load a SELinux policy it applies to all processes
on the system, regardless of where they are in relation to the process
which loaded the policy into the kernel.
This behavior is independent of the LSM stacking work, you should be
able to see the same behavior even in cases where SELinux is the only
loaded LSM on the system.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list