Container engines launch container processes with a single confined SELinux label, usually container_t
, and then set the container inside of the container to be labeled container_file_t
. The SELinux policy rules basically say that the container_t
processes can only read/write/execute files labeled container_file_t
. If a container process escapes the container and attempts to write to content on the host, the Linux kernel denies access and only allows the container process to write to content labeled container_file_t
.