A container process with SELinux label container_t can access (rwx) a bind mounted directory with a user_home_t label ?

[ZaiBouz]

Hi everybody !!

I've been trying to understand how Podman manages SELinux labels, and I have noticed that the labeling process is not as what's described on all the articles I've read online.

To put the situation in simple terms, it seems that a container process with a label container_t can modify a mounted directory (with the podman run --volume option), even though the directory is not labeled correctly ( in my case user_home_t ). I retried the experience, but this time I added the :z flag the bind mount, and effectively the directory had the correct label type, so it's normal that the container can add and remove files as it pleases without restrictions, but one problem is that I can still modify the directory even from the host machine ( created a test file and it got the container_file_t label ??).
Now the only explanation for this that I came up with is that maybe it's because I have selinux on permissive mode and so it just logs but does not block anything, (I would have tried to switch to enforcing to test it out but since not lots of things are in order on my host "virtual" machine, it just crashes with enforcing mode), so I'm wondering if anybody has any idea about the cause of this problem ?

Cheers !!

[rhatdan]

If the system is in permissive mode, then it only logs.
Permissive mode means permissive mode.