An implementation of this disclosure provides a system comprising memory to store a plurality of layers and a processing device coupled to that memory to set up the layers and to mount them into an overlay. The layers comprise an upper and one or more lower layers. The overlay provides access to a plurality files stored in the overlay filesystem. A request from an application to access a file in the mounted overlay is received. An access policy for the mounter that mounted the layers is identified in view of the mounter's credentials. The processing device checks, in view of the access policy, whether a security context label for the file provides access to the application and to the mounter of the overlay in at least one lower layer comprising the file. An instruction to provide the application with access to the file is issued in view of the check.