Questions about running MAC stuff inside containers

doskanoness · October 19, 2021, 4:29pm

Hey,

I have two questions:

Is it a good idea to run SELinux inside containers on the non-SELinux host or should I play with SELinux in the virtual machines? I’m going to a setup binary package server, and test some stuff with SELinux. Does matter whether host kernel is compiled with SELinux support?
Is running Apparmor inside containers fine? Does matter whether these containers will be on the host with running Apparmor or not? Does matter if the host kernel is compiled with Apparmor support?

Thanks!

stgraber · October 19, 2021, 5:13pm

LSM stacking doesn’t really work yet on Linux, so you currently can’t mix and match LSMs between containers. If the host is AppArmor, containers can nest AppArmor.
If the host is SELinux, in theory you can label containers.

So in general to test different LSMs, virtual machines are still the easiest option.