> Von: Shweta Shinde [mailto:shwetasshind...@gmail.com] > Gesendet: Dienstag, 31. Januar 2012 13:09 > An: lxc-users@lists.sourceforge.net > Betreff: [Lxc-users] Security in LXC > > Hi everyone, > I am working on LXC containers for my project. I am interested in the > security aspects of LXC. > What are the security threats from isolation perspective while using > containers? > > How can we use SELinux to secure container? > Any information will be very helpful.
To my understanding, lxc without LSM is only useful to separate processes or network traffic for simpler setup/administration, but currently the lxc-separation is not very strict from security point of view. Without LSM and lxc system virtualization, guest root == host root, e.g. via access of /proc/kcore, mem, ... See http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03039.html Since I'm not sure, that I could harden a LSM policy, that prevents a guest UID=0 process from accessing anything outside the container (there may be a thousand ways via proc and syscalls, I don't know about), I refrained from using lxc for system virtualization until secure open-source policies are available. Kind regards, Roman ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
