I gave a short talk on SELinux namespacing today at the Linux.conf.au Kernel Miniconf in Sydney — the slides from the talk are here: http://namei.org/presentations/selinux_namespacing_lca2018.pdf
This is a work in progress to which I’ve been contributing, following on from initial discussions at Linux Plumbers 2017.
In brief, there’s a growing need to be able to provide SELinux confinement within containers: typically, SELinux appears disabled within a container on Fedora-based systems, as a workaround for a lack of container support. Underlying this is a requirement to provide per-namespace SELinux instances, where each container has its own SELinux policy and private kernel SELinux APIs.
A prototype for SELinux namespacing was developed by Stephen Smalley, who released the code via https://github.com/stephensmalley/selinux-kernel/tree/selinuxns. There were and still are many TODO items. I’ve since been working on providing namespacing support to on-disk inode labels, which are represented by security xattrs. See the v0.2 patch post for more details.
Much of this work will be of interest to other LSMs such as Smack, and many architectural and technical issues remain to be solved. For those interested in this work, please see the slides, which include a couple of overflow pages detailing some known but as yet unsolved issues (supplied by Stephen Smalley).
The session was live streamed — I gather a standalone video will be available soon!
ETA: the video is up! See: