A few years ago we wrote this design for a method to load a SELinux policy through a simple translation layer to have it protect a chroot container as if it were an independent system. It basically attaches a per-container namespace to SELinux context names, fs labels, perhaps a fuse-like per-container /selinux translation layer, and relies upon the host kernel to enforce in the way it usually does. The benefit to this approach is you can use almost unmodified SELinux policies. SELinux is of course only part of the container isolation requirements.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds