I researched how containers, virtual machines (VMs), and processes, in general, are separated by different technologies—namely, AppArmor and SELinux. My goal was to compare these solutions for isolation/separation capabilities in the cloud world.
Just as a reminder, Red Hat Enterprise Linux uses SELinux technology to separate processes, containers, and VMs. OpenShift also uses this technology.
The first option is an isolation technology called AppArmor, which is a very similar technology to SELinux. However, it is not label-based. AppArmor security profiles, which are equivalent to SELinux security policies, look more user-friendly, but that’s because AppArmor is less complicated and controls fewer operations.
Both SELinux and AppArmor supports the Type Enforcement security model, which is a type of mandatory access control, based on rules where subjects (processes or users) are allowed to access objects (files, directories, sockets, etc.). However, what AppArmor doesn’t have is Multi-Level Security (MLS) and Multi-Category Security (MCS). This means that AppArmor usage in environments requiring MLS is very difficult, if not impossible.
MLS/MCS capabilities is a big difference between AppArmor and SELinux. With AppArmor, it’s not possible to keep separation between containers. AppArmor separates containers from the host, but the default container policy is very loose and needs to be improved to prevent access to the entire host filesystem. Separation between each container is not possible because AppArmor does not support MCS. SELinux, by default, separates containers from each other and also from the host filesystem. Kata containers could be another solution and a better choice in the cloud for container separation.
The second option is to use virtual machines (VMs) to isolate containers. This approach is accomplished by putting container pods inside of VMs. This brings significant overhead to the cloud infrastructure. With SELinux, it’s possible to isolate pods without the need to use VMs.
You can even generate a specific SELinux policy for custom containers via the udica tool.
The following table summarizes differences between SELinux and AppArmor technologies:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* SELinux has tooling to do it (audit2allow), rather than a single wrapper
like AppArmor has.
To summarize, SELinux is a more complex technology that controls more operations on a system and separates containers by default. This level of control is not possible with AppArmor because it lacks MCS. In addition, not having MLS means that AppArmor cannot be used in highly secure environments.
References:
[1] https://www.redhat.com/en/topics/linux/what-is-selinux
[3] https://selinuxproject.org/page/NB_TE
[4] https://selinuxproject.org/page/NB_MLS
[5] https://katacontainers.io/
[6] https://github.com/containers/udica
[ Getting started with containers? Check out this free course. Deploying containerized applications: A technical overview. ]
執筆者紹介
Lukas is a Senior Principal Software Engineer and Security Expert at Red Hat, where he also serves as a Product Owner for Security Engineering. In this role, he leads the strategic development of key subsystems, focusing on process and user/container separation, attestation and application allow-listing. Lukas is dedicated to implementing robust security features across Red Hat’s product offerings, overseeing the SELinux and Security Special Projects engineering teams. He collaborates closely with Product Marketing, Product Management, and Sales to enhance the business value and customer experience of security technologies.
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
仮想化
オンプレミスまたは複数クラウドでのワークロードに対応するエンタープライズ仮想化の将来についてご覧ください
