[RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs

James Morris james.l.morris at oracle.com
Mon Nov 13 06:45:24 UTC 2017


On Tue, 31 Oct 2017, Stephen Smalley wrote:

> This btw would be a bit cleaner if we dropped the .ns. portion of the
> name, such that we would have:
> security.selinux # xattr name in the init namespace
> security.selinux.vmN # xattr name in the vmN namespace
> security.selinux.vmN.vmM # xattr name in the vmN.vmM namespace

Ok, just to clarify, the namespace name in the last example is "vmN.vmM", 
not "vmM" ?

i.e. the namespaces are always hierarchical, and the security labels are 
identified by that hierarchy.  If you enter vmM from the init namespace, 
for example, the security labels for it are distinct from the labels under 
vmN.  On disk, you would have both:

security.selinux.vmM
security.selinux.vmN.vmM

which are independent.

Each of these instances would potentially inherit different labels, and 
have different provenance characteristics, so this seems necessary in any 
case.


-- 
James Morris
<james.l.morris at oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list