I researched how containers, virtual machines (VMs), and processes, in general, are separated by different technologies—namely, AppArmor and SELinux. My goal was to compare these solutions for isolation/separation capabilities in the cloud world.
Just as a reminder, Red Hat Enterprise Linux uses SELinux technology to separate processes, containers, and VMs. OpenShift also uses this technology.
The first option is an isolation technology called AppArmor, which is a very similar technology to SELinux. However, it is not label-based. AppArmor security profiles, which are equivalent to SELinux security policies, look more user-friendly, but that’s because AppArmor is less complicated and controls fewer operations.
Both SELinux and AppArmor supports the Type Enforcement security model, which is a type of mandatory access control, based on rules where subjects (processes or users) are allowed to access objects (files, directories, sockets, etc.). However, what AppArmor doesn’t have is Multi-Level Security (MLS) and Multi-Category Security (MCS). This means that AppArmor usage in environments requiring MLS is very difficult, if not impossible.
MLS/MCS capabilities is a big difference between AppArmor and SELinux. With AppArmor, it’s not possible to keep separation between containers. AppArmor separates containers from the host, but the default container policy is very loose and needs to be improved to prevent access to the entire host filesystem. Separation between each container is not possible because AppArmor does not support MCS. SELinux, by default, separates containers from each other and also from the host filesystem. Kata containers could be another solution and a better choice in the cloud for container separation.
The second option is to use virtual machines (VMs) to isolate containers. This approach is accomplished by putting container pods inside of VMs. This brings significant overhead to the cloud infrastructure. With SELinux, it’s possible to isolate pods without the need to use VMs.
You can even generate a specific SELinux policy for custom containers via the udica tool.
The following table summarizes differences between SELinux and AppArmor technologies:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* SELinux has tooling to do it (audit2allow), rather than a single wrapper
like AppArmor has.
To summarize, SELinux is a more complex technology that controls more operations on a system and separates containers by default. This level of control is not possible with AppArmor because it lacks MCS. In addition, not having MLS means that AppArmor cannot be used in highly secure environments.
References:
[1] https://www.redhat.com/en/topics/linux/what-is-selinux
[3] https://selinuxproject.org/page/NB_TE
[4] https://selinuxproject.org/page/NB_MLS
[5] https://katacontainers.io/
[6] https://github.com/containers/udica
[ Getting started with containers? Check out this free course. Deploying containerized applications: A technical overview. ]
저자 소개
Lukas is a Senior Principal Software Engineer and Security Expert at Red Hat, where he also serves as a Product Owner for Security Engineering. In this role, he leads the strategic development of key subsystems, focusing on process and user/container separation, attestation and application allow-listing. Lukas is dedicated to implementing robust security features across Red Hat’s product offerings, overseeing the SELinux and Security Special Projects engineering teams. He collaborates closely with Product Marketing, Product Management, and Sales to enhance the business value and customer experience of security technologies.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
가상화
온프레미스와 클라우드 환경에서 워크로드를 유연하게 운영하기 위한 엔터프라이즈 가상화의 미래
