[LSM Stacking] SELinux policy inside container affects a processon Host

[Leesoo Ahn]

23. 7. 7. 23:20에 Paul Moore 이(가) 쓴 글:
> On Fri, Jul 7, 2023 at 4:29 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:
>  > 2023-07-06 오후 10:43에 Paul Moore 이(가) 쓴 글:
[...]
> 
> What you are looking for is a combination of LSM stacking and
> individual LSM namespacing. Sadly, I think the communications around
> LSM stacking have not been very clear on this and I worry that many
> people are going to be disappointed with LSM stacking for this very
> reason.
> 
> While stacking of LSMs is largely done at the LSM layer, namespacing
> LSMs such that they can be customized for individual containers
> requires work to be done at the per-LSM level as each LSM is
> different. AppArmor already has a namespacing concept, but SELinux
> does not. Due to differences in the approach taken by the two LSMs,
> namespacing is much more of a challenge for SELinux, largely due to
> issues around filesystem labeling. We have not given up on the idea,
> but we have yet to arrive at a viable solution for namespacing
> SELinux.
> 
> If you are interested in stacking SELinux and AppArmor, I believe the
> only practical solution is to run SELinux on the host system (initial
> namespace) and run AppArmor in the containers. Even in a world where
> SELinux is fully namespaced, it would likely still be necessary to run
> some type of SELinux policy on the host (initial namespace) in order
> to support SELinux policies in the containers.

Thank you for the reply. It really helped me to know the current status 
of them and what to do now.

Just a little information for who is interested in the stacking that we 
decided to branch the LSM hooks by which lsm the current process is in 
instead of entirely calling them in order.

Best regards,
Leesoo