If you don't mind me asking, how does AppArmor isolate a container? I was under the impression everything was specified with file paths.

I'm probably butchering how it worked: ignoring the latest ploop developments, it did something with mount directories being used as prefixes and then passed the module ctl interface into the container so userland could work using the devnodes feature. It didn't pass a majority of regression tests due to its hacky nature so we dropped it. It's also why we're very interested in upstream containers without a single company controlling direction.

Well RH isn't really in the business of providing containers right now AFAIK

The announcement indicates to me that they're planning to in the near future. It's not a bad idea, They've done cool implementations with OpenStack.

That's probably overly conspiratorial.

Perhaps, though RH has certainly done this in the past and usually to the benefit of all.

I would be truly surprised if they were even able to get enough internal cohesion to force a particular ideology.

Aye, we all saw how Gnome 3.0 turned out :P (I use Gnome 3.14, please don't flog me)

I enjoy the benefits of a number of RH projects and feel they're at the forefront of pushing linux along. But it's always good to keep a watchful eye, it's really fishy and out of character for RH to talk about developing a solution for the linux ecosystem at large that seems to be RH-centric. With systemd, SUSE jumped in early and there was a lot of hand holding with Debian, but systemd became really portable and easily deployable in the end. Same thing with Pulseaudio, Network Manager, etc.

It's literally just that selinux mention in isolation requirements for the standard that is questionable for me. Containers do need to stabilize and become distribution and deployment agnostic.