Hello, On Thu, Jan 17, 2019 at 10:01:23AM -0500, Daniel Walsh wrote: > The above comment is correct. We want to be able to run a container > where we hand it control over a limited subdir of the cgroups hierachy. > We can currently do this and label the content correctly, but when > subdirs of the directory get created by processes inside the container > they do not get the correct label. For example we add a label like > system_u:object_r:container_file_t:s0 to a directory but when the > process inside of the container creates a fd within this directory the > kernel says the label is the default label for cgroups > system_u:object_r:cgroup_t:s0. This forces us to write looser policy > that from an SELinux point of view allows a process within the container > to write anywhere on the cgroup file system, rather then just the > designated directories. Can you please go into a bit more details on why the existing cgroup delegation model isn't enough? Thanks. -- tejun
