My understanding is that both AppArmor and SELinux implement a Mandatory Access Control (MAC) system that provides an additional security layer of isolation between containers and that Docker comes with default policies for both.
However, SELinux specifically can use Multi Category Security (MCS) to enforce that each individual container on a system can only access the files on the host labeled for that specific container (more details: article, presentation). That is, if two Docker containers A and B are spun up on a single host, the default SELinux security policy that comes with Docker will actually enforce that in the event of a breakout, the linux process in container A will not be able to access the files belonging to container B. Not only that, but the only way files can be mounted into a container from the host is if the volumes are suffixed with ":Z", thus telling Docker to make sure to add the relevant MCS labels to the files on the host in that path so that the container can access them.
On the contrary, I cannot find any references to a similar mechanism in AppArmor. Instead, Docker's default AppArmor profile seems to primarily be about denying access to specific filesystem paths and host resources, not about denying access between containers.
My question is, if I use Docker's default AppArmor profile, will I get the same effective protection as using SELinux as described above? Will AppArmor block access from one container to another container's files? If yes, how does it accomplish it?
