On 03/08/2018 05:55 AM, Zvonko Kosic wrote: > I've seen the presentation by James Morrison about namespacing SELinux and I > have a question regarding a special case we have in our environment. > > We have third party prestart runtime hooks for docker which bind mount > files from the host into the container image, which have the wrong label. > > To change the SELinux labels on the host is not an option because > it breaks stuff on the host. > > Wil the SELinux namespacing work on files that are bind mounted?
I believe the answer is yes, since my patches support per-namespace in-core inode SIDs and James' additional patches support per-namespace on-disk xattrs (so the bind-mounted files can have two distinct labels, one of which will be presented to processes in the root/init namespace and the other to processes within the child namespace). That said, this is all very much work in progress.
