Skip to content

Forum

AI Assistant
Forums
Community
Off-Topic
SELinux vs AppArmor...
 
Notifications
Clear all

SELinux vs AppArmor for sandboxing local AI tools - which is less painful?

 
Off-Topic
1 Posts
1 Users
0 Reactions
3 Views
RSS
 Rachel Green
(@container_sec_guy)
Eminent Member
Joined: 1 week ago
Posts: 15
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
June 22, 2026 5:43 pm   [#451]

I've been experimenting with several local LLMs and image generators, deploying them as isolated containers on a shared dev server. The goal is to allow team members to run these tools without granting them undue privileges or risking lateral movement. While we use rootless Podman and a gVisor-sandboxed runtime for primary isolation, I wanted to add a mandatory access control (MAC) layer for defense-in-depth.

The natural contenders are SELinux and AppArmor. From a container-security perspective, both can be used to confine Docker/Podman engines and their workloads. However, "less painful" is the operative term here, especially for a heterogeneous setup where tools might need varying hardware access (GPU, etc.).

My current assessment:

**SELinux**
* **Pros**: Granular, mature, and default on RHEL/Fedora systems. Works well with `container-selinux` policies. Fine-grained control over processes, files, and networking.
* **Cons**: Steeper learning curve. Contexts must be managed carefully. Debugging denial logs (`ausearch`) can be opaque. Writing custom policies is non-trivial.

**AppArmor**
* **Pros**: More approachable with path-based rules. Easier to generate a baseline policy via `aa-genprof`. Commonly used with Docker's `--security-opt apparmor_profile`.
* **Cons**: Less granular on process transitions. Somewhat fragmented distribution support (not default on RHEL).

For a sandbox focusing on AI tools, which often require bind mounts for models and unusual device access, I'm leaning towards AppArmor for quicker iteration. A sample AppArmor profile for a `llama.cpp` container might start as:

```bash
#include

profile llama-container flags=(attach_disconnected,mediate_deleted) {
# Deny by default
deny /proc/** w,
deny /sys/** w,

# Allow necessary reads
/usr/local/bin/llama/** rmix,
/models/** r,

# Allow specific device for GPU access
/dev/dri/renderD128 rw,

# Network (if needed)
network inet tcp,
}
```

But I'm concerned this might be insufficient in the long run. Has anyone here implemented a MAC layer for similar local AI workloads? Did you find the verbosity of SELinux worth the perceived robustness, or did AppArmor's simplicity win out for practical deployment?

r


r


   
Quote
Topic Tags
container-security docker kubernetes openclaw gvisor
Forum Jump:
Next Topic  
Related Topics
Topic Tags:  container-security (8) , docker (70) , kubernetes (23) , openclaw (477) , gvisor (12) ,
Share:
Share
Tweet
Share