On Sat, Apr 10, Michael Ströder wrote:
BTW: It should not be possible to break out from a podman container even without using SELinux or AppArmor. If it is "crazy simple to break out of a Podman container" then podman is not the right tool for anything serious before podman's devs did their homework.
Like you can trivial break out of a chroot environment, you can also break out of a container. In some cases this is even "wanted", else some things would not possible.
About SELinux vs AppArmor in a very, very simplified way: AppArmor is path based, but the path inside a contianer is identical to the one outside. So if you can access a file inside the container, you can also access it outside. SELinux uses labels: normally containers use different labels then the host system. So if you escape a container, you cannot do anything, as you have no permissions for the labels of the host system.
Thorsten