[LSM Stacking] SELinux policy inside container affects a processon Host

Leesoo Ahn lsahn at wewakecorp.com
Fri Jul 28 01:54:23 UTC 2023


I hope you have a great day today

2023-07-07 오후 11:20에 Paul Moore 이(가) 쓴 글:
> On Fri, Jul 7, 2023 at 4:29 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:

[...]

> 
> What you are looking for is a combination of LSM stacking and
> individual LSM namespacing. Sadly, I think the communications around
> LSM stacking have not been very clear on this and I worry that many
> people are going to be disappointed with LSM stacking for this very
> reason.
> 
> While stacking of LSMs is largely done at the LSM layer, namespacing
> LSMs such that they can be customized for individual containers
> requires work to be done at the per-LSM level as each LSM is
> different. AppArmor already has a namespacing concept, but SELinux
> does not. Due to differences in the approach taken by the two LSMs,
> namespacing is much more of a challenge for SELinux, largely due to
> issues around filesystem labeling. We have not given up on the idea,
> but we have yet to arrive at a viable solution for namespacing
> SELinux.
> 
> If you are interested in stacking SELinux and AppArmor, I believe the
> only practical solution is to run SELinux on the host system (initial
> namespace) and run AppArmor in the containers. 

Paul, I don't get that SELinux on the host system and run AppArmor in 
the containers is the only practical solution. Could you please explain 
that in more details?

Best regards,
Leesoo



More information about the Linux-security-module-archive mailing list