Thanks for your kind response.<br>As we see Ubuntu is making use of <a href="http://daniil.kulchenko.com/blog/2011/10/virtualization-using-lxc-linux-containers-in-amazon-ec2/">LXC to have virtualization over cloud, </a>interested to know any insights about the same.<br>
Is LSM required compulsorily, or can we have some workaround to overcome /proc issue by limiting the capabilities of containers?<br><br>--<br>Regards, <br>Shweta<br><br><br>
<br><br><div class="gmail_quote">On Tue, Jan 31, 2012 at 6:44 PM, Fiedler Roman <span dir="ltr"><<a href="mailto:Roman.Fiedler@ait.ac.at">Roman.Fiedler@ait.ac.at</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> Von: Shweta Shinde [mailto:<a href="mailto:shwetasshinde24@gmail.com">shwetasshinde24@gmail.com</a>]<br>
> Gesendet: Dienstag, 31. Januar 2012 13:09<br>
> An: <a href="mailto:lxc-users@lists.sourceforge.net">lxc-users@lists.sourceforge.net</a><br>
> Betreff: [Lxc-users] Security in LXC<br>
<div><div class="h5">><br>
> Hi everyone,<br>
> I am working on LXC containers for my project. I am interested in the security aspects of LXC.<br>
> What are the security threats from isolation perspective while using containers?<br>
><br>
> How can we use SELinux to secure container?<br>
> Any information will be very helpful.<br>
<br>
</div></div>To my understanding, lxc without LSM is only useful to separate processes or network traffic for simpler setup/administration, but currently the lxc-separation is not very strict from security point of view. Without LSM and lxc system virtualization, guest root == host root, e.g. via access of /proc/kcore, mem, ...<br>
<br>
See <a href="http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03039.html" target="_blank">http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03039.html</a><br>
<br>
Since I'm not sure, that I could harden a LSM policy, that prevents a guest UID=0 process from accessing anything outside the container (there may be a thousand ways via proc and syscalls, I don't know about), I refrained from using lxc for system virtualization until secure open-source policies are available.<br>
<br>
Kind regards,<br>
Roman<br>
</blockquote></div><br>