[libvirt-users] libvirt-sandbox on Ubuntu with SELinux
Daniel P. Berrange
berrange at redhat.com
Thu Nov 21 11:00:40 UTC 2013
On Wed, Nov 20, 2013 at 04:02:18PM -0500, boden wrote:
> I'm attempting to build/use libvirt-sandbox on Ubuntu 12.xx.
> Although I'm still working through dependency issues (including the
> need for libvirt >= 1.0.2 which is not packaged for ubuntu 12.xx) to
> build the sandbox code, I have a forward looking question.
>
> It appears libvirt-bin for Ubuntu likes apparmor as does most Ubuntu
> based packages using a LSM impl. However, as I understand
> libvirt-sandbox is integrated with SELinux to provide security
> isolation of containers...
>
> My question becomes -- *should* libvirt-sandbox work on Ubuntu
> assuming I use the ubuntu libvirt-bin package and replace apparmor
> with selinux? Or am I flat out walking into quicksand on Ubuntu
> here?
>
> Without the security aspect of libvirt-sandbox, I wonder if its
> viable on ubuntu for those looking to mitigate container security?
We attempted to design the APIs and command line tool syntax such
that it can be ported to apparmour. We've made no attempt to actually
do such a port though. It might be that in 'dynamic' mode, the apparmour
stuff actually 'just works', but I'm really not sure.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvirt-users
mailing list