[LSM Stacking] SELinux policy inside container affects a process on Host
Leesoo Ahn
lsahn at wewakecorp.com
Fri Jul 7 08:28:36 UTC 2023
2023-07-06 오후 10:43에 Paul Moore 이(가) 쓴 글:
> On Thu, Jul 6, 2023 at 1:20 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:
> >
> > Hello! Here is another weird behavior of lsm stacking..
> >
> > test env
> > - Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
> > - boot param: lsm=apparmor,selinux
> > - AppArmor (Host) + SELinux (LXD Container Fedora 36)
> >
> > In the test environment mentioned above and applying selinux policy
> > enforcing by running "setenforce 1" within the container, executing the
> > following command on the host will result in "Permission denied" output.
>
> SELinux operates independently of containers, or kernel namespacing in
> general. When you load a SELinux policy it applies to all processes
> on the system, regardless of where they are in relation to the process
> which loaded the policy into the kernel.
>
> This behavior is independent of the LSM stacking work, you should be
> able to see the same behavior even in cases where SELinux is the only
> loaded LSM on the system.
Thank you for the reply!
So as far as I understand, the environment of LSM Stacking,
AppArmor (Host) + SELinux (Container) couldn't provide features "using
SELinux policy inside the container shouldn't affect to the host side"
for now.
If so, I wonder if you and Casey plan to design future features like
that, because my co-workers and I are considering taking LSM stacking of
AppArmor + SELinux in products that both policies must be working
separately.
best regards,
Leesoo
More information about the Linux-security-module-archive
mailing list