I am currently trying to investigate how SELinux is used from a container perspective. I have a basic setup, in which I have a SELinux enabled kernel, and I am running a CentOS(which also uses SELinux) LXD container.
What i have noticed so far is that, all processes running inside the container have the same kind of SELinux domains set. When i tried writing to the /dev/console device from the LXD container, I got a SELinux denial. Through this what I understood was SELinux policies were applied for processes inside the container namespace.
The main question I had was, is the functionality of SELinux from a container’s viewpoint just to protect the host from container, or can we have more granular SELinux control for processes/files inside the container? If the SELinux domains are similar for all processes inside container, then one policy will apply to all processes. Can we also have multiple domains for different processes that run in the container’s namespace?