On second thought I might not agree. I would agree if I expose a root owned podman.sock to a rootless container. I am not doing that. When I start podman like so: systemctl --user start podman, and thus I am creating a socket under /run/user/<uid>/podman/podman.sock. This socket is owned by the unprivileged user. Also this socket would not gain access to root owned containers. As far as I understand, rootless and rootfull are separated with podman. Therefore I would argue that the scope of the security is limited to that of an ordinary user. Hence it would be okay to expose the podman.sock to containers owned to that same user. Inside a rootless container, I would not be able to gain any elevation or anything otherwise. Inside a rootless container I cannot do more then on the outside. Therefore SELinux should not block read access. I don't think you ever write to the docker API and blocking write access would make sense. Is my reasoning flawed in any way and if so, how?