Questions about SELinux labeling

[kaivol]

I recently migrated my Podman host from Ubuntu to Fedora.
My setup is as follows:

• Containers are defined using Quadlet (rootful)
• UserNS=auto
• bind mount targets are owned by my user (uid=1000), and are made accessible to the containers using idmap and relabel=private

In the process, I used SELinux for the first time. Hereby, I encountered the problem that relabeling during startup takes a very long time (#24210).

To avoid this problem, I considered manually relabeling the volume as shared (with security context system_u:object_r:container_file_t:s0, IIUC), and disabling relabeling by Podman. However, I am not sure what the implications of this approach are.
If I understand correctly, shared labels allow all containers to access the destination. But then what is the point of SELinux with shared labels if essentially all software on the device runs in containers?

Also, as the processes in the containers run with unique user namespaces (because of UserNS=auto), the basic file permissions should already prevent the container processes from accessing directories that they should not have access to in case of a container escape (assuming that the permissions prohibit access for others).
Does SELinux provide further benefits under these conditions?

I appreciate any tips!

[rhatdan]

Relabling will only happen the first time, afterwards it will not relabel again. unless you change the labels.

With containers labels you need to worry about the labels in containers with those not in containers. For example you container running rootless mode is able to read any UID that your UID is able to read. So a rootless container can read the content in ~/.ssh if it escapes from the container. With SELinux the Kernel would stop the process from reading the content.

SELinux is the only tool that really protects the host file system from container escape.

The difference between :z and :Z is all about container content and whether the content is going to be used between two containers running with different labels or private to a container.

You could have multiple choices when running containers with SELinux
1: run container with SELinux separation disabled --security-opt label=disabled
This container if it escapes would have full access to every file that UID=$USER has access to.
2: run container normally, has no access to any host files at all other then container content within the container.
3: Run container with volume and :Z means the container has full control over the volume, but other containers are blocked from using it.
4: Want to share 1 volume with more then one container. Run each container with the same SELinux MCS Label. --security-opt label=level:s0:c100,c259. Then mount the volume with :Z. This would mean any of these container can read/write the volume, but if they escaped they would be able to attack the other processes within the container, potentially able to ptrace them and see their memory.
5: Want to share 1 volume with more then one container. Run volume with :z, this means the volume can be read/written by all containers even containers without the volume mounted into it, if they container process escaped.