Can AppArmor provide isolation between containers? (like SELinux)

Chris Sears

7/9/24, 2:18 PM

I'm interested in using AppArmor to enforce security boundaries between containers.

https://www.redhat.com/sysadmin/apparmor-selinux-isolation was written a few years ago comparing AppArmor and SELinux for container security. They make the assertion that "With AppArmor, it’s not possible to keep separation between containers." They claim that because SELinux uses a "Multi-Level Security (MLS) and Multi-Category Security (MCS)" approach, it is able to enforce security boundaries between containers, whereas AppArmor can't.

Is that accurate today?

0 + 4

security

container

apparmor

user535733

7/9/24, 2:33 PM

Asking us to comment on old Redhat assertions does not seem like a useful support question. It seems suspicious -- like an attempt to spark a flamewar or otherwise troll. If you are asking about Ubuntu container security, then ask about that in your own words ("*How does Ubuntu container isolation work?*"). There are multiple approaches to container isolation, and the SELinux approach is one valid approach among several.

noisefloor

7/9/24, 4:26 PM

Is there any specific reason why you want to implement container security yourself instead of relying on the security implementation of the vendor of the container technology? If yes, provide more details by editing on which container technology you intent to use and which details of this technology's default security implementation you intent to improve.

rfm

7/10/24, 6:07 AM

That article seems to be very concerned with "label based" access controls; that's a particular concern for certain US government agencies, who want to make sure that it's very hard to copy from a Top Secret window and paste into a Secret one. That's a very important thing if you are trying to sell computers to those agencies, but not so much for the rest of us.

Chris Sears

7/10/24, 1:10 PM

My intent definitely wasn't to troll or start a flamewar. I'm just more familiar with SELinux. I recently made the decision to move away from Red Hat products and I'm trying to get up to speed on AppArmor. In general, I think usability and cognitive load are critical factors for any security technology, and AppArmor is clearly ahead of SELinux in those regards. I'll do some further testing and update this question with more technical specifics.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can AppArmor provide isolation between containers? (like SELinux)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.