Re: [tlug] Dealing with software with wide attack surface

["Stephen J. Turnbull" <stephenjturnbull@example.com>]

Curt J. Sampson writes:

 > > "don't advertise containers for security" or something along the
 > > lines is just a generic theme I got from discussions with colleagues.
 > 
 > Well, I would say that's wrong.

I agree.  Containers don't give as good isolation as a VM, which
doesn't give as good isolation as dedicated hardware, which doesn't
give as good isolation as an air gap with epoxy in every hole except
the power socket, which doesn't give as good security as replacing
your system with a cinderblock.  But containers give better isolation
than processes, which give better isolation than threads, which give
no isolation at all.  I think I got both extremes, there. :-)

Isolation != security, but it helps.

 > > Sounded like the security benefit is assumed to be above zero, but
 > > not as big as from i.e. SELinux with properly written policies.
 > 
 > That's absoutely, unequivocially *dead* wrong, in my experience.

I don't have the experience, but I can offer the data point that
SELinux is a current pain point for Fedora (where it is on by default,
I gather).  The problem is that the maintainers don't know how to
write SELinux policies for their packages, and the SELinux people in
Fedora don't have the package knowledge to write them either, though
they try to help.