https://bugzilla.redhat.com/show_bug.cgi?id=2406130
Zygmunt Krynicki <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #4 from Zygmunt Krynicki <[email protected]> --- Hey Neal, thank you for taking the review. One point on LSM stacking. This will be very useful for one other reason: it would allow running apparmor policy inside a container. A Fedora system can then load vanilla Debian container and with stacking enabled, do the usual podman selinux MCS setup, and with an apparmor namespace in the container, load policies that would apply regular Debian apparmor behaviour for the workload running there. My point is that this is not about putting AppArmor policy on top of fedora, but having the tools available so that containerised workloads can benefit from stronger security. By the nature of LSM stacking, the whole stack has to agree for something to be effectively allowed. Given how poor MCS security is inside a typical podman container (everything is just flat there, per container), it would provide meaningful improvement without any complexity on the host. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2406130 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202406130%23c4 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
