containers
Support for SELinux label
I don't know what we need. The first step is to identify what we need to do. https://github.com/opencontainers/runtime-spec/blob/a3c33d663ebc56c4d35dbceaa447c7bf37f6fab3/config.md?plain=1#L213-L214
Maybe this might provide some help :
https://wiki.gentoo.org/wiki/SELinux/Labels , and specifically, https://wiki.gentoo.org/wiki/SELinux/Labels#Managing_process_labels
As the above states , it is not possible to change the label for process once started. That would mean we would need to start the youki daemon , in the two-fork method with the correct label set. This might provide some info on that : https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context
I haven't gone through these in detail, but I think this could lead us to the way we need to implement.
Some extra links (but not much different) : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files
I also found https://opensource.com/article/18/2/understanding-selinux-labels-container-runtimes, which is from the author who contributed to selinux go bindings for OCI : https://github.com/opencontainers/selinux
I can try to do some investigation around this and see if I can come up with a design. Work starts to take up more time, so I may work slower than before.
@yihuaf That's right. If you will be busy and it gets difficult, please let me know via discord DM or something. It's no problem at your own pace. THanks again, you're a big help 😍