[RFC PATCH 0/1] SELinux-namespaces

Paul Moore paul at paul-moore.com
Wed Feb 16 20:47:27 UTC 2022


On Wed, Feb 16, 2022 at 7:52 AM Igor Baranov <igor.baranov at huawei.com> wrote:
>
> Hi all!
> Our team at Huawei decided to revive the work on SELinux namespaces.
> We took https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns
> as a basis with some patches from selinuxns-xattr.

Hello!

For reference there is a *slightly* more recent forward port of those
patches in the main SELinux repo under the working-selinuxns branch.
I haven't forward ported those patches since v5.10-rc1 as there are
some rather significant technical hurdles around persistent object
labeling which I don't believe have been adequately resolved yet.  The
prefixed/namespaces xattr approach that you mention above may work for
a limited number of namespaces, but I worry there is a scalability
issue that needs to be resolved; we can't simply keep adding xattrs to
inodes.

 * https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git

Also, are there rest of your patches online anywhere?  Patch 1/1 isn't
very interesting on its own.

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list