Lxd: SELinux support inside containers

liblxc which LXD uses is actually built on Ubuntu with SELinux support so there's nothing for LXD to do here, things should just work.

However for things to work properly with LXC, you do need to have your host kernel boot with SELinux enabled (which will turn off AppArmor as they are mutually exclusive), once you do so, there may also be some stuff you need to tweak on your host to make SELinux happy, but LXD itself will follow's LXC default policy with regard to SELinux which should just work.

On ubuntu, lxd and lxd packages seem to require apparmor, which conflicts with selinux.

Hmm, indeed. That's pretty odd since the two are only supposed to be mutually exclusive at the kernel level, both userspace tools should be co-installable...

So you could drop the hard dependency in LXC and things may be fine. We can't offer the alternative by default in Ubuntu because selinux isn't in main so LXC can't depend or even recommend it.

Unfortunately ubuntu was the only distro that I could get lxd to work on, and I sensed a dependency on apparmor even before I tried to remove it, in the config/docs. Maybe there is up-to-date packaging for fedora? Arch Linux is a no-go because of their opinion on the security of https://bugs.archlinux.org/task/36969?project=1

So I'm going to close the issue here since it's not a lxd problem.

However, if you can confirm that LXC can actually run without apparmor installed, we could move apparmor from a dependency to a recommends and suggest selinux (can't recommend since it's not in main).

The right place for such a bug report or pull-request would be against github.com/lxc/lxc-pkg-ubuntu

Thanks!