SELinux/Containers
Many container technologies such as Docker or Podman have various features which can integrate with SELinux at runtime. These features are primarily intended to provide additional isolation to containers. If enabled, SELinux ensures that containers remain isolated not only from the host, but also from each other.
Introduction
SELinux policy support for containers is provided by the sec-policy/selinux-container package as well as the corresponding policy packages for various container technologies. For example, sec-policy/selinux-docker provides policy support for app-containers/docker. The required policy packages will be pulled in automatically as long as the selinux USE flag is set.
Generally speaking, most container runtimes (henceforth referred to as "engines" in this article) will take advantage of SELinux as soon as they are installed. However, there are a few cases where some extra configuration is required.
Docker
Podman
CRI-O
Differences from container-selinux
container-selinux is the upstream SELinux policy package providing support for containers on Linux distributions utilizing fedora-selinux as the foundation for their SELinux policies. This includes Fedora Linux, Red Hat Enterprise Linux, CentOS, etc.