[LSM Stacking] SELinux policy inside container affects a processon Host

Leesoo Ahn lsahn at wewakecorp.com
Fri Jul 7 01:17:28 UTC 2023



2023-07-07 오전 9:36에 Serge E. Hallyn 이(가) 쓴 글:
> On Thu, Jul 06, 2023 at 09:43:01AM -0400, Paul Moore wrote:
>  > On Thu, Jul 6, 2023 at 1:20 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:
>  > >
>  > > Hello! Here is another weird behavior of lsm stacking..
>  > >
>  > > test env
>  > > - Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
>  > > - boot param: lsm=apparmor,selinux
>  > > - AppArmor (Host) + SELinux (LXD Container Fedora 36)
>  > >
>  > > In the test environment mentioned above and applying selinux policy
>  > > enforcing by running "setenforce 1" within the container, executing the
>  > > following command on the host will result in "Permission denied" 
> output.
>  >
>  > SELinux operates independently of containers, or kernel namespacing in
>  > general. When you load a SELinux policy it applies to all processes
>  > on the system, regardless of where they are in relation to the process
>  > which loaded the policy into the kernel.
>  >
>  > This behavior is independent of the LSM stacking work, you should be
>  > able to see the same behavior even in cases where SELinux is the only
> 
> The real question might be what kind of container was this? Since it
> was allowed to setenforce 1, it must not have been in a user namespace?
> Did you do "lxc config set c1 security.privileged true" ?

Yes, I did. For a reason that I wanted to use SELinux policy in 
Enforcing mode inside container and expected it applied to only 
container side.



More information about the Linux-security-module-archive mailing list