SELinux All the Way Down: Namespaces for SELinux - Stephen Smalley, National Security Agency

Don't miss out! Join us at the next Open Source Summit in Hyderabad, India (August 5); Amsterdam, Netherland (August 25-29); Seoul, South Korea (November 4-5). Join us at the premier vendor-neutral open source conference, where developers and technologists come together to collaborate, share knowledge, and explore the latest innovations and advancements in open source technology. Learn more at https://events.linuxfoundation.org/ SELinux All the Way Down: Namespaces for SELinux - Stephen Smalley, National Security Agency At present, SELinux only supports defining and enforcing a single system-wide security policy. As a result, for Linux containers, SELinux is generally only used to provide coarse-grained sandboxing and isolation of entire containers, and Linux distributions cannot effectively leverage SELinux from within a container. With the increasing trend toward containerized applications and cloud-native container workloads, there is a growing need for SELinux to better support containers. SELinux namespaces are a proposed feature enhancement that are intended to enable per-container security policies, i.e. each SELinux namespace can load its own policy, while remaining confined by its parent (and other ancestor) policies. SELinux namespaces bring benefits for Linux developers and users by enabling full use of SELinux within containers, whether or not the host OS uses SELinux itself. In this talk we present the background, design, implementation, performance, and residual challenges associated with the work to bring SELinux namespaces to the mainline Linux kernel.