SELinux functionality inside a LXC container


I am currently trying to investigate how SELinux is used from a container perspective. I have a basic setup, in which I have a SELinux enabled kernel, and I am running a CentOS(which also uses SELinux) LXD container.

What i have noticed so far is that, all processes running inside the container have the same kind of SELinux domains set. When i tried writing to the /dev/console device from the LXD container, I got a SELinux denial. Through this what I understood was SELinux policies were applied for processes inside the container namespace.

The main question I had was, is the functionality of SELinux from a container’s viewpoint just to protect the host from container, or can we have more granular SELinux control for processes/files inside the container? If the SELinux domains are similar for all processes inside container, then one policy will apply to all processes. Can we also have multiple domains for different processes that run in the container’s namespace?

Our SELinux knowledge is very limited so we have close to no support for it at present.
liblxc supports some amount of configuration around SELinux, mostly setting up a particular context for the container.

The ability to then further constraint processes inside the container may depend on SELinux namespacing, I have no idea where that work is at the moment though.

We have kernel engineers involved in upstream LSM namespacing and stacking which should effectively allow for AppArmor protected containers on SELinux host as well as eventually, the reverse, running SELinux protected containers on AppArmor hosts.
Some of the work done in that regard may allow for SELinux protected containers on SELinux systems to also get their own namespace and be able to further load and apply policy, but as I said, I don’t know exactly where things stand there.

Hi Stephane.

Thanks a lot for your response. What does it means when we say liblxc has support for setting a particular context for a container? Does it mean that all processes in the containers namespace would run under the same context?

If we omit security namespace from the picture for once, and let all host policies apply to all processes/files in the container. Then, can we influence the SELinux contexts of the processes inside the container namespace, and write corresponding policies on the host ? By influencing the contexts, I meant, is it possible to set the SELinux contexts for all processes in the Container namespace such that they are different from the host SELinux contexts, and they also have differing contexts for different processes. Through this, if we can load policies we could potentially gain more granular access control.

Yeah, what liblxc does with that setting is override the current context of the init process as it gets spawned, all children processes will then inherit that.

You should be able to do the container wide context with the liblxc option, as for then having different contexts on different processes, I’m not sure how that works exactly. Last time we tried making this work properly (with our extremely limited SELinux knowledge) we got stuck in a bit of filesystem labeling rabbit hole, especially around shared filesystems like proc and sysfs.