[RFC PATCH 0/1] SELinux-namespaces
Paul Moore
paul at paul-moore.com
Wed Feb 16 20:47:27 UTC 2022
On Wed, Feb 16, 2022 at 7:52 AM Igor Baranov <igor.baranov at huawei.com> wrote:
>
> Hi all!
> Our team at Huawei decided to revive the work on SELinux namespaces.
> We took https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns
> as a basis with some patches from selinuxns-xattr.
Hello!
For reference there is a *slightly* more recent forward port of those
patches in the main SELinux repo under the working-selinuxns branch.
I haven't forward ported those patches since v5.10-rc1 as there are
some rather significant technical hurdles around persistent object
labeling which I don't believe have been adequately resolved yet. The
prefixed/namespaces xattr approach that you mention above may work for
a limited number of namespaces, but I worry there is a scalability
issue that needs to be resolved; we can't simply keep adding xattrs to
inodes.
* https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
Also, are there rest of your patches online anywhere? Patch 1/1 isn't
very interesting on its own.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list