Linux Security Summit North America 2025

At present, SELinux only supports defining and enforcing a single system-wide security policy. As a result, for Linux containers, SELinux is generally only used to provide coarse-grained sandboxing and isolation of entire containers, and Linux distributions cannot effectively leverage SELinux from within a container. With the increasing trend toward containerized applications and cloud-native container workloads, there is a growing need for SELinux to better support containers. SELinux namespaces are a proposed feature enhancement that are intended to enable per-container security policies, i.e. each SELinux namespace can load its own policy, while remaining confined by its parent (and other ancestor) policies. SELinux namespaces bring benefits for Linux developers and users by enabling full use of SELinux within containers, whether or not the host OS uses SELinux itself. In this talk we present the background, design, implementation, performance, and residual challenges associated with the work to bring SELinux namespaces to the mainline Linux kernel.