[LSM Stacking] SELinux policy inside container affects a process on Host
Serge E. Hallyn
serge at hallyn.com
Fri Jul 7 00:35:47 UTC 2023
On Thu, Jul 06, 2023 at 09:43:01AM -0400, Paul Moore wrote:
> On Thu, Jul 6, 2023 at 1:20 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:
> >
> > Hello! Here is another weird behavior of lsm stacking..
> >
> > test env
> > - Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
> > - boot param: lsm=apparmor,selinux
> > - AppArmor (Host) + SELinux (LXD Container Fedora 36)
> >
> > In the test environment mentioned above and applying selinux policy
> > enforcing by running "setenforce 1" within the container, executing the
> > following command on the host will result in "Permission denied" output.
>
> SELinux operates independently of containers, or kernel namespacing in
> general. When you load a SELinux policy it applies to all processes
> on the system, regardless of where they are in relation to the process
> which loaded the policy into the kernel.
>
> This behavior is independent of the LSM stacking work, you should be
> able to see the same behavior even in cases where SELinux is the only
The real question might be what kind of container was this? Since it
was allowed to setenforce 1, it must not have been in a user namespace?
Did you do "lxc config set c1 security.privileged true" ?
More information about the Linux-security-module-archive
mailing list