1

I'm trying to run SeLinux on 16.04 and what i found- the cost of getting SeLinux is - losing apparmor (100% expected), together with snap and lxd (what i want to ask)

root@xenial-beta3-7299:/etc/udev/rules.d/70-persistent-net.rules# apt-get install selinux
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  python3-apparmor python3-libapparmor
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  checkpolicy libapol4 libqpol1 policycoreutils python-ipy python-selinux python-semanage python-sepolgen python-sepolicy
  python-setools selinux-utils
Suggested packages:
  selinux-policy-dev
Recommended packages:
  python-audit selinux-policy-default selinux-policy-dev selinux-policy-ubuntu | selinux-policy

The following packages will be REMOVED:
  apparmor apparmor-utils liblxc1 lxc-common lxd snap-confine snapd ubuntu-core-launcher

The following NEW packages will be installed:
  checkpolicy libapol4 libqpol1 policycoreutils python-ipy python-selinux python-semanage python-sepolgen python-sepolicy
  python-setools selinux selinux-utils

i know that SeLinux support in Ubuntu is a bit in question. see https://wiki.ubuntu.com/SELinux

but i just want to understand a bit more about it. if anybody has more insight. my use case is very typical docker + kubernetes in 16.04. and trying to do SeLinux.

Xin Ma
  • 101
  • 2
  • 4

1 Answers1

1

AppArmor is a big part of snapd's confinement story, and thus is a hard dependency (by way of ubuntu-core-launcher/snap-confine). There are ongoing discussions for SELinux support as an alternative (mostly to enable other distributions, but might also help in this situation).

lxc/lxd is likely running into the same issue (its containers are typically confined).

kyrofa
  • 7,296
  • 1
  • 31
  • 26