[LSM Stacking] SELinux policy inside container affects a processon Host

Casey Schaufler casey at schaufler-ca.com
Mon Jul 17 15:51:08 UTC 2023


On 7/17/2023 8:24 AM, Leesoo Ahn wrote:
> 23. 7. 7. 23:20에 Paul Moore 이(가) 쓴 글:
>> On Fri, Jul 7, 2023 at 4:29 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:
>>  > 2023-07-06 오후 10:43에 Paul Moore 이(가) 쓴 글:
> [...]
>>
>> What you are looking for is a combination of LSM stacking and
>> individual LSM namespacing. Sadly, I think the communications around
>> LSM stacking have not been very clear on this and I worry that many
>> people are going to be disappointed with LSM stacking for this very
>> reason.
>>
>> While stacking of LSMs is largely done at the LSM layer, namespacing
>> LSMs such that they can be customized for individual containers
>> requires work to be done at the per-LSM level as each LSM is
>> different. AppArmor already has a namespacing concept, but SELinux
>> does not. Due to differences in the approach taken by the two LSMs,
>> namespacing is much more of a challenge for SELinux, largely due to
>> issues around filesystem labeling. We have not given up on the idea,
>> but we have yet to arrive at a viable solution for namespacing
>> SELinux.
>>
>> If you are interested in stacking SELinux and AppArmor, I believe the
>> only practical solution is to run SELinux on the host system (initial
>> namespace) and run AppArmor in the containers. Even in a world where
>> SELinux is fully namespaced, it would likely still be necessary to run
>> some type of SELinux policy on the host (initial namespace) in order
>> to support SELinux policies in the containers.
>
> Thank you for the reply. It really helped me to know the current
> status of them and what to do now.
>
> Just a little information for who is interested in the stacking that
> we decided to branch the LSM hooks by which lsm the current process is
> in instead of entirely calling them in order.

Could you describe your approach more fully? 

>
> Best regards,
> Leesoo



More information about the Linux-security-module-archive mailing list