Questions about running MAC stuff inside containers


I have two questions:

  1. Is it a good idea to run SELinux inside containers on the non-SELinux host or should I play with SELinux in the virtual machines? I’m going to a setup binary package server, and test some stuff with SELinux. Does matter whether host kernel is compiled with SELinux support?
  2. Is running Apparmor inside containers fine? Does matter whether these containers will be on the host with running Apparmor or not? Does matter if the host kernel is compiled with Apparmor support?


LSM stacking doesn’t really work yet on Linux, so you currently can’t mix and match LSMs between containers. If the host is AppArmor, containers can nest AppArmor.
If the host is SELinux, in theory you can label containers.

So in general to test different LSMs, virtual machines are still the easiest option.

1 Like