[RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs
James Morris
james.l.morris at oracle.com
Mon Nov 13 06:45:24 UTC 2017
On Tue, 31 Oct 2017, Stephen Smalley wrote:
> This btw would be a bit cleaner if we dropped the .ns. portion of the
> name, such that we would have:
> security.selinux # xattr name in the init namespace
> security.selinux.vmN # xattr name in the vmN namespace
> security.selinux.vmN.vmM # xattr name in the vmN.vmM namespace
Ok, just to clarify, the namespace name in the last example is "vmN.vmM",
not "vmM" ?
i.e. the namespaces are always hierarchical, and the security labels are
identified by that hierarchy. If you enter vmM from the init namespace,
for example, the security labels for it are distinct from the labels under
vmN. On disk, you would have both:
security.selinux.vmM
security.selinux.vmN.vmM
which are independent.
Each of these instances would potentially inherit different labels, and
have different provenance characteristics, so this seems necessary in any
case.
--
James Morris
<james.l.morris at oracle.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list