COPR
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 6 19:53:50 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/06/2013 03:38 PM, Richard W.M. Jones wrote:
> On Fri, Sep 06, 2013 at 09:10:24PM +0200, 80 wrote:
>> No, it's less secure than kvm but it still provides better isolation than
>> a mere chroot.
>
> It doesn't matter if it's more secure than a chroot, because that's not
> what we're talking about. This is about whether you want
> random-person-off-the-internet to upload any software they like and run it
> on your server, and you *do not* want to do that with either a chroot or a
> Linux container [even if OpenShift got away with it].
>
> And ...
>
>> Secure containers as dwalsh described is a worthy improvement.
>
> ... SELinux labels will not make that situation any better, because an
> exploit somewhere in the large kernel API bypasses SELinux.
>
> Dan Walsh's two replies are much more nuanced than you understand.
>
> Rich.
>
>
Yes in the hierarchy of Security, I would say.
VM Wrapped with Svirt (SELinux), running a Container wrapped with SELinux,
running mock...
VM Wrapped with Svirt (SELinux), running mock wrapped with SELinux
Container wrapped Selinux running mock
Mock wrapped with SELinux
Chroot
root access.
As many layers as you can get away with and still perform ok. If we can get
VMs to start and
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIqMs4ACgkQrlYvE4MpobNd2wCgr4wQ1yQDeTI1rUekHUeO+SId
g3IAoN41bAHraRDyurIAxkkJXmWjkKlB
=laGL
-----END PGP SIGNATURE-----
More information about the devel
mailing list