[LSM Stacking] SELinux policy inside container affects a processon Host

[Leesoo Ahn]

I hope you have a great day today

2023-07-07 오후 11:20에 Paul Moore 이(가) 쓴 글:
> On Fri, Jul 7, 2023 at 4:29 AM Leesoo Ahn <lsahn at wewakecorp.com> wrote:

[...]

> 
> What you are looking for is a combination of LSM stacking and
> individual LSM namespacing. Sadly, I think the communications around
> LSM stacking have not been very clear on this and I worry that many
> people are going to be disappointed with LSM stacking for this very
> reason.
> 
> While stacking of LSMs is largely done at the LSM layer, namespacing
> LSMs such that they can be customized for individual containers
> requires work to be done at the per-LSM level as each LSM is
> different. AppArmor already has a namespacing concept, but SELinux
> does not. Due to differences in the approach taken by the two LSMs,
> namespacing is much more of a challenge for SELinux, largely due to
> issues around filesystem labeling. We have not given up on the idea,
> but we have yet to arrive at a viable solution for namespacing
> SELinux.
> 
> If you are interested in stacking SELinux and AppArmor, I believe the
> only practical solution is to run SELinux on the host system (initial
> namespace) and run AppArmor in the containers. 

Paul, I don't get that SELinux on the host system and run AppArmor in 
the containers is the only practical solution. Could you please explain 
that in more details?

Best regards,
Leesoo