On Thu, 8 Mar 2018, Daniel Walsh wrote: > I am not a big fan of Namespaced SELinux. I think it complicates things and > will confuse people. I would think a better solution would be to run your > container with a different type so that you could allow access t othese file > types. > > It would be a lot easier to create a type based on container-selinux policy > and just run your container with it. > > > podman run -ti --security-opt label=type:mycontianer_t -v /SRC:/DEST IMAGE > > Or if you must > > docker run -ti --security-opt label=type:mycontianer_t -v /SRC:/DEST IMAGE I think it depends on your use-case. If you want an OS-like privileged container, then the current solution of having SELinux appear disabled in the container is inadequate for many users. It is also trivially possible to access and modify global SELinux state from there. -- James Morris <jmorris@xxxxxxxxx>
