I'm attempting to build/use libvirt-sandbox on Ubuntu 12.xx. Although I'm still working through dependency issues (including the need for libvirt >= 1.0.2 which is not packaged for ubuntu 12.xx) to build the sandbox code, I have a forward looking question. It appears libvirt-bin for Ubuntu likes apparmor as does most Ubuntu based packages using a LSM impl. However, as I understand libvirt-sandbox is integrated with SELinux to provide security isolation of containers... My question becomes -- *should* libvirt-sandbox work on Ubuntu assuming I use the ubuntu libvirt-bin package and replace apparmor with selinux? Or am I flat out walking into quicksand on Ubuntu here? Without the security aspect of libvirt-sandbox, I wonder if its viable on ubuntu for those looking to mitigate container security? Thanks
Daniel P. Berrange
2013-Nov-21 11:00 UTC
Re: [libvirt-users] libvirt-sandbox on Ubuntu with SELinux
On Wed, Nov 20, 2013 at 04:02:18PM -0500, boden wrote:> I'm attempting to build/use libvirt-sandbox on Ubuntu 12.xx. > Although I'm still working through dependency issues (including the > need for libvirt >= 1.0.2 which is not packaged for ubuntu 12.xx) to > build the sandbox code, I have a forward looking question. > > It appears libvirt-bin for Ubuntu likes apparmor as does most Ubuntu > based packages using a LSM impl. However, as I understand > libvirt-sandbox is integrated with SELinux to provide security > isolation of containers... > > My question becomes -- *should* libvirt-sandbox work on Ubuntu > assuming I use the ubuntu libvirt-bin package and replace apparmor > with selinux? Or am I flat out walking into quicksand on Ubuntu > here? > > Without the security aspect of libvirt-sandbox, I wonder if its > viable on ubuntu for those looking to mitigate container security?We attempted to design the APIs and command line tool syntax such that it can be ported to apparmour. We've made no attempt to actually do such a port though. It might be that in 'dynamic' mode, the apparmour stuff actually 'just works', but I'm really not sure. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|