-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2013 03:38 PM, Richard W.M. Jones wrote: > On Fri, Sep 06, 2013 at 09:10:24PM +0200, 80 wrote: >> No, it's less secure than kvm but it still provides better isolation than >> a mere chroot. > > It doesn't matter if it's more secure than a chroot, because that's not > what we're talking about. This is about whether you want > random-person-off-the-internet to upload any software they like and run it > on your server, and you *do not* want to do that with either a chroot or a > Linux container [even if OpenShift got away with it]. > > And ... > >> Secure containers as dwalsh described is a worthy improvement. > > ... SELinux labels will not make that situation any better, because an > exploit somewhere in the large kernel API bypasses SELinux. > > Dan Walsh's two replies are much more nuanced than you understand. > > Rich. > > Yes in the hierarchy of Security, I would say. VM Wrapped with Svirt (SELinux), running a Container wrapped with SELinux, running mock... VM Wrapped with Svirt (SELinux), running mock wrapped with SELinux Container wrapped Selinux running mock Mock wrapped with SELinux Chroot root access. As many layers as you can get away with and still perform ok. If we can get VMs to start and -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIqMs4ACgkQrlYvE4MpobNd2wCgr4wQ1yQDeTI1rUekHUeO+SId g3IAoN41bAHraRDyurIAxkkJXmWjkKlB =laGL -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct