Security Enhanced Linux (SELinux) in our container technologies age.



We are still at the early stage when it comes to streamline the security around containers. But it is important to recall that, Containers ease the deployment and management of applications and their dependencies.

One can then observe that, this isolation can prevent code within a container from interacting with code in other containers, resulting in an increase in security compared to running multiple non-containerized applications on the same system. 

However, various bugs have allowed applications to escape from this environment of isolation and interfere with other containers. 

Technologies such as seccomp (a “secure computing” mechanism) reduce the number of system calls available to containerized applications and thus make it more difficult for exploitation of these bugs.

Security Enhanced Linux (SELinux) is a Linux kernel feature that allows for restrictions to be applied to application permissions. Each process has an associated context, and, a set of rules defines the interactions permitted between contexts. 

Connectikpeople.co also recalls that, a technology called SVirt, introduced by Red Hat, runs each container in a unique SELinux context. This context is permitted to access only the files and mount points required for that specific container.

CoreOS has introduced SVirt into the rkt container runtime and incorporated appropriate SELinux policy into the CoreOS Linux operating system. 

It is also encouraging to observe that, the container industry is working to add security through virtualization, including using virtual machines to improve container security with the release of rkt v0.8.0.

Popular Posts