[PATCH 0/3] Allow initializing the kernfs node's secctx based on its parent

[Tejun Heo]

Hello,

On Thu, Jan 17, 2019 at 10:01:23AM -0500, Daniel Walsh wrote:
> The above comment is correct.  We want to be able to run a container
> where we hand it control over a limited subdir of the cgroups hierachy. 
> We can currently do this and label the content correctly, but when
> subdirs of the directory get created by processes inside the container
> they do not get the correct label.  For example we add a label like
> system_u:object_r:container_file_t:s0 to a directory but when the
> process inside of the container creates a fd within this directory the
> kernel says the label is the default label for cgroups
> system_u:object_r:cgroup_t:s0.  This forces us to write looser policy
> that from an SELinux point of view allows a process within the container
> to write anywhere on the cgroup file system, rather then just the
> designated directories.

Can you please go into a bit more details on why the existing
cgroup delegation model isn't enough?

Thanks.

-- 
tejun