[LSM Stacking] SELinux policy inside container affects a processon Host
Leesoo Ahn
lsahn at wewakecorp.com
Fri Jul 7 01:17:28 UTC 2023
2023-07-07 오전 9:36에 Serge E. Hallyn 이(가) 쓴 글:
> On Thu, Jul 06, 2023 at 09:43:01AM -0400, Paul Moore wrote:
> > On Thu, Jul 6, 2023 at 1:20 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:
> > >
> > > Hello! Here is another weird behavior of lsm stacking..
> > >
> > > test env
> > > - Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
> > > - boot param: lsm=apparmor,selinux
> > > - AppArmor (Host) + SELinux (LXD Container Fedora 36)
> > >
> > > In the test environment mentioned above and applying selinux policy
> > > enforcing by running "setenforce 1" within the container, executing the
> > > following command on the host will result in "Permission denied"
> output.
> >
> > SELinux operates independently of containers, or kernel namespacing in
> > general. When you load a SELinux policy it applies to all processes
> > on the system, regardless of where they are in relation to the process
> > which loaded the policy into the kernel.
> >
> > This behavior is independent of the LSM stacking work, you should be
> > able to see the same behavior even in cases where SELinux is the only
>
> The real question might be what kind of container was this? Since it
> was allowed to setenforce 1, it must not have been in a user namespace?
> Did you do "lxc config set c1 security.privileged true" ?
Yes, I did. For a reason that I wanted to use SELinux policy in
Enforcing mode inside container and expected it applied to only
container side.
More information about the Linux-security-module-archive
mailing list