[Linz-pm] Back in business!

Stefan Seifert nine at detonation.org
Thu Mar 5 03:26:26 PST 2015


On Wednesday 04 March 2015 23:27:23 Markus Zimmermann wrote:
> Ich poste das jetzt einfach mal so ;-)
> 
> http://stopdisablingselinux.com/

Gestern ham wir ja drüber gredet und jetzt grad hab ich via lwn.net dazu 
gefunden:

Daniel J Walsh dwalsh at redhat.com 
On 03/02/2015 10:03 AM, Mauricio Tavares wrote:
> On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung at 0pointer.de> 
wrote:
>> That said, containers on Linux are not really about security, the
>> whole thing has more holes than a swiss cheese. Maybe one day the
>> security holes can be fixed, but as of now, it's simply not
>> secure. And this "information leak" is certainly the least of your
>> problems...
>>
>       What would then be the recommended solution if containers are 
insecure?
Well we are trying to fix this, but as Lennart says, there are many
holes in the strategy at this
point.  I am working on a presentation that talks about different levels
of security.  As soon
as you get to Virtualization you get less security.

I would say running each service on an individual machine is the most
secure.  Running Each Service
on a separate VM is the second most, especially if you are using
SELInux/Svirt for separation of your VM's.
Third level is running each Service in a different container, (Again you
want SELinux for some separation).
Fourth is each Service running on the host, (Wrapped with SELinux). 
Fifth setenforce 0.

>> Lennart



More information about the Linz-pm mailing list