SELinux policies in containers
Posted Oct 13, 2011 8:04 UTC (Thu) by wtogami
Parent article: Running distributions in containers
A few years ago we wrote this design for a method to load a SELinux policy through a simple translation layer to have it protect a chroot container as if it were an independent system. It basically attaches a per-container namespace to SELinux context names, fs labels, perhaps a fuse-like per-container /selinux translation layer, and relies upon the host kernel to enforce in the way it usually does. The benefit to this approach is you can use almost unmodified SELinux policies. SELinux is of course only part of the container isolation requirements.
I'm surprised this article didn't mention VServer or OpenVZ. Don't those container methods have some kind of virtualized /sys and /proc? I might be wrong.
to post comments)