Restrict a container using selinux

[M1cha]

I have a container which runs in the host network namespace, because it needs to open raw sockets on certain interfaces. I'd like to restrict which interfaces the container can bind to and it looks like selinux allows doing that.

What's the correct way to add additional selinux restrictions to a container? My current idea would be to create and install a custom sepolicy module on the host which introduces a new domain like my_container_t and then change the containers domain using --security-opt=label=type:my_container_t. Is that correct? Is there anything to be careful about to not decrease security? Should my custom domain inherit from container_t?

[Luap99]

I think udica can create such profiles https://github.com/containers/udica
Though I haven't used it myself so far so not to sure on its exact capabilities.