[PATCH 0/3] Allow initializing the kernfs node's secctx based on its parent

[Stephen Smalley]

On 1/17/19 11:15 AM, Tejun Heo wrote:
> Hello,
> 
> On Thu, Jan 17, 2019 at 10:01:23AM -0500, Daniel Walsh wrote:
>> The above comment is correct.  We want to be able to run a container
>> where we hand it control over a limited subdir of the cgroups hierachy.
>> We can currently do this and label the content correctly, but when
>> subdirs of the directory get created by processes inside the container
>> they do not get the correct label.  For example we add a label like
>> system_u:object_r:container_file_t:s0 to a directory but when the
>> process inside of the container creates a fd within this directory the
>> kernel says the label is the default label for cgroups
>> system_u:object_r:cgroup_t:s0.  This forces us to write looser policy
>> that from an SELinux point of view allows a process within the container
>> to write anywhere on the cgroup file system, rather then just the
>> designated directories.
> 
> Can you please go into a bit more details on why the existing
> cgroup delegation model isn't enough?

I would hazard a guess that it is because the existing cgroup delegation 
model is based on user IDs and discretionary access control (DAC), 
whereas they are using per-container SELinux security contexts and 
mandatory access control (MAC) to enforce the separation of containers 
irrespective of UID and DAC.  Optimally both would be supported by 
cgroup, as DAC and MAC have different properties and use cases.