SELinux policies in containers [LWN.net]

SELinux policies in containers

Posted Oct 13, 2011 8:04 UTC (Thu) by wtogami (subscriber, #32325)
Parent article: Running distributions in containers

http://www.google.com/patents/about?id=q9PVAAAAEBAJ
A few years ago we wrote this design for a method to load a SELinux policy through a simple translation layer to have it protect a chroot container as if it were an independent system. It basically attaches a per-container namespace to SELinux context names, fs labels, perhaps a fuse-like per-container /selinux translation layer, and relies upon the host kernel to enforce in the way it usually does. The benefit to this approach is you can use almost unmodified SELinux policies. SELinux is of course only part of the container isolation requirements.

I'm surprised this article didn't mention VServer or OpenVZ. Don't those container methods have some kind of virtualized /sys and /proc? I might be wrong.

(Log in to post comments)

OpenVZ part

Posted Oct 28, 2011 20:08 UTC (Fri) by gvy (guest, #11981) [Link]

> I'm surprised this article didn't mention VServer or OpenVZ.
> Don't those container methods have some kind of virtualized
> /sys and /proc? I might be wrong.
Me too (hi Warren), and I find it amusing to tweak init not to do bad things to the poor system instead of tweaking the system to thwart bad things that init, and some less well-bred processes, might inflict on it -- incidentally or not. OpenVZ does pretty decent job at being actually useful (I run it on every server I'm responsible for, and I've worked with LXC as well).

OTOH upon reading the CPU modaliases snippet I've been jumpin' and crying "yes, yes, this one" :)