This is fixed in precise, as containers now start in their own domain
which will not transition further (i.e. to libvirtd).
** Changed in: lxc (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscrib
** Changed in: lxc (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/876968
Title:
host Apparmor rules are applied to guests in spite of guests loa
>> 1. If the guest is to have its own policy, then the host needs to create
>> a new policy namespace, and then it needs to transition the guest to the
>> new namespace. Guest policy will then be loaded into the new namespace,
>> and will not generally* conflict with system policy.
>
> That's great
Quoting John Johansen (john.johan...@canonical.com):
> Well I won't agree the guest shouldn't have its own policy (it depends
> on your use case), but I do agree the host should be able to set a
> domain to protect it self from the guest, but until AppArmor supports
> policy stacking the solution i
Well I won't agree the guest shouldn't have its own policy (it depends
on your use case), but I do agree the host should be able to set a
domain to protect it self from the guest, but until AppArmor supports
policy stacking the solution is either or.
The solution depends on what confinement is sou
Apparmor is MAC - in my opinion it's not valid to have a container guest
specify its own policy.
However, the container should be entering a domain which protects the
host from the container, and in which executing any programs do not
cause more domain transitions (unless specified by the containe
Assigning to jjohansen just to toss him a warning that I'm looking to
talk to him at UDS :)
Setting to medium priority because while 'a guest loading new rules' is
invalid, host apparmor rules for daemons in the guest should not be
applied.
--
You received this bug notification because you are a
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/876968
Title:
host Apparmor rules are applied to guests in spite of guests loading
new rules
To manage notifications about this bug go t
