On 6/27/19 4:16 PM, James Morris wrote: > On Thu, 27 Jun 2019, John Johansen wrote: > >> I have more test combinations churning but figure I could report what I have so far > > Do you have any way to test the nested scenario of say an AppArmor host > with SELinux running in containers? > No, an selinux container doesn't really work atm. The issue is to do with namespacing. I can boot an AppArmor host with selinux enabled, but the container loading selinux policy gets interesting, and without namespacing the container policy affects the host. It is of course possible to label the system such that you can sort of make it work, but it isn't really practical. I have played with the selinuxns branch trying to get this to work, but I ran into some issues I couldn't resolve. However it has been five months since I tried that so I can look at it again. The AppArmor container on an selinux host case is easier partly because of how policy is applied, partly because namespacing of its policy is already supported upstream, and partly because I just know it better. I do have plans to test the apparmor container on selinux but I haven't gotten that far and am planning on waiting for this one until Casey kicks out v5.
