| Re: Why is SELinux incompatible with OpenVZ? [message #41378 is a reply to message #41372] |
Wed, 12 January 2011 16:48  |
cwebster
Messages: 2
Registered: January 2011
|
Junior Member |
|
|
Forgive me if this reply gets posted more than once. My first [Submit Reply] did not seem to post anything but a rather vague message told me to "check my inbox for instructions". After 10 min. without an email I resubmitted this reply:
thewanderer wrote on Tue, 11 January 2011 16:26OpenVZ introduces many hacks to the kernel. If you read the code, you'll know what this is about.
Thank you. I will look at the source. I just found it odd that there is no mention of this in docs or on the forum, only that it must be disabled. With network/system security being such a vital part of any connected system these days I'm surprised that this project has not found a way to work within SELinux constraints. Maybe it will be more clear to me after looking at the OpenVZ source, but it seems to me someone should be able to develop a policy module allowing it to function without breaking security.
Quote:However, Linux Containers are compatible with SELinux. I'd suggest trying that - you do not have to use OpenVZ for separation when you secure LXC with SELinux (as described in an IBM tutorial: search the web for "secure linux containers cookbook"), and you make it available for the host as well.
I would not recommend running LXC without SELinux-secured containers, though - it's too easy to break out with CAP_SYS_ADMIN and init seems to need it on most distros.
Thank you for your candor and the excellent suggestion and reference. I am reading through the "Secure Linux containers cookbook" now. This sounds like it will meet our development and security requirements better than OpenVZ.
Now that I'm aware of OpenVZ, however, I will feel compelled to revisit this question later. I find it difficult to tolerate unsolved mysteries.
Many thanks! 
Cal Webster
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
