[Lxc-users] Security in LXC

Shweta Shinde shwetasshinde24 at gmail.com
Wed Feb 1 05:28:43 UTC 2012

Thanks for your kind response.
As we see Ubuntu is making use of LXC to have virtualization over cloud,
to know any insights about the same.
Is LSM required compulsorily, or can we have some workaround to overcome
/proc issue by limiting the capabilities of containers?


On Tue, Jan 31, 2012 at 6:44 PM, Fiedler Roman <Roman.Fiedler at ait.ac.at>wrote:

> > Von: Shweta Shinde [mailto:shwetasshinde24 at gmail.com]
> > Gesendet: Dienstag, 31. Januar 2012 13:09
> > An: lxc-users at lists.sourceforge.net
> > Betreff: [Lxc-users] Security in LXC
> >
> > Hi everyone,
> > I am working on LXC containers for my project. I am interested in the
> security aspects of LXC.
> > What are the security threats from isolation perspective while using
> containers?
> >
> > How can we use SELinux to secure container?
> > Any information will be very helpful.
> To my understanding, lxc without LSM is only useful to separate processes
> or network traffic for simpler setup/administration, but currently the
> lxc-separation is not very strict from security point of view. Without LSM
> and lxc system virtualization, guest root == host root, e.g. via access of
> /proc/kcore, mem, ...
> See
> http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03039.html
> Since I'm not sure, that I could harden a LSM policy, that prevents a
> guest UID=0 process from accessing anything outside the container (there
> may be a thousand ways via proc and syscalls, I don't know about), I
> refrained from using lxc for system virtualization until secure open-source
> policies are available.
> Kind regards,
> Roman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120201/3cdd9a1b/attachment.html>

More information about the lxc-users mailing list