nsenter is a program that allows you to run program with namespaces of other processes
This tool is often used to enter containers like docker, systemd-nspawn or rocket. It can be used for debugging or for scripting
tools to work inside of containers. One problem that it had was the process that would be entering the container could potentially
be attacked by processes within the container. From an SELinux point of view, you might be injecting an unconfined_t process
into a container that is running as svirt_lxc_net_t. We wanted a way to change the process context when it entered the container
to match the pid of the process who's namespaces you are entering.
As of util-linux-2.27, nsenter now has this support.
Set the SELinux security context used for executing a new process according to already running process specified by --tar‐get PID. (The util-linux has to be compiled with SELinux support otherwise the option is unavailable.)
Already did this but this gives debuggers, testers, scriptors a new tool to use with namespaces and containers.
Dan Walsh's Blog
- nsenter gains SELinux support