Daniel J Walsh
dwalsh at redhat.com
Fri Sep 6 19:53:50 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 09/06/2013 03:38 PM, Richard W.M. Jones wrote:
> On Fri, Sep 06, 2013 at 09:10:24PM +0200, 80 wrote:
>> No, it's less secure than kvm but it still provides better isolation than
>> a mere chroot.
> It doesn't matter if it's more secure than a chroot, because that's not
> what we're talking about. This is about whether you want
> random-person-off-the-internet to upload any software they like and run it
> on your server, and you *do not* want to do that with either a chroot or a
> Linux container [even if OpenShift got away with it].
> And ...
>> Secure containers as dwalsh described is a worthy improvement.
> ... SELinux labels will not make that situation any better, because an
> exploit somewhere in the large kernel API bypasses SELinux.
> Dan Walsh's two replies are much more nuanced than you understand.
Yes in the hierarchy of Security, I would say.
VM Wrapped with Svirt (SELinux), running a Container wrapped with SELinux,
VM Wrapped with Svirt (SELinux), running mock wrapped with SELinux
Container wrapped Selinux running mock
Mock wrapped with SELinux
As many layers as you can get away with and still perform ok. If we can get
VMs to start and
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the devel