The secmark "one user" policy

James Morris jmorris at
Wed Jun 21 07:13:47 UTC 2017

On Tue, 20 Jun 2017, Casey Schaufler wrote:

> I'm looking at the secmark code and am looking in
> particular at the places where it explicitly says
> that it is intended for one security module at a
> time. For extreme stacking I can either enforce this
> restriction by configuration or remove it by clever
> uses of secid mappings. Either can be made "transparent"
> to existing user-space. Paul has expressed distaste for
> using configuration as a shortcut for dealing with this
> kind of problem, and I generally agree with him. On the
> other hand, the code is quite clear that it is designed
> for one and only one kind of secid at a time. I don't
> want to put a lot of effort into patches that are
> unacceptable to the author.

How would you see this working, ideally?

James Morris
<jmorris at>

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at
More majordomo info at

More information about the Linux-security-module-archive mailing list