In order to allow processes to modify the cgroup hierarchy in a container from an SELinux point of view, we need to allow read/write access to cgroup_t, which means that a container process could break out and modify all cgroups, we want to allow them to only modify the portion of the hierarchy handed to them. Would be a nice security improvement for docker. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
