With LXC version 4, the /sys/fs/cgroup used to have have the SELinux type cgroup_t,
which is according to the reference policy.
The version 5 it appears as tmpfs_t, I believe it’s due to LXC creating an tmpfs and then bind mount content from the host if requested. The same can be seen with /dev, having tmpfs_t instead of device_t (according to the reference policy).
Is this intended with version 5 and above? and if so what is the common workaround to have the FS context compliant with the reference policy?
Or maybe the container should restorecon -R /sys /dev after mounting the FS
It depends on your exact configuration, but in general we don’t like having liblxc mount /sys/fs/cgroup, instead we typically let the init system in the container do the mounting.
In general, that results in /sys/fs/cgroup being a clean cgroup2 mount.
I’m using defaults (i.e. I’m not specifying anything)… Is there a way to have the container rootfs compliant with the SELinux security policy (e.g. /dev → device_t; /sys/fs/cgroup → cgroup_t)?
I gave a look to the auto mount options but non of the options appear seems to handle this use-case.
This is important because some applications expect the above contexts to certain system paths, which is okayish, since they come from the SELinux reference policy.
You may be able to use lxc.mount.entry rather than lxc.mount.auto for those and have the specific SELinux labels set that way. Otherwise, this would need some changes to liblxc to accommodate and would need some checks to ensure everyone using SELinux agrees on the labels (Android being the tricky one typically).