Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

Eric W. Biederman wrote:

quoted text

> My very practical question: How do I run selinux in one container, > and SMACK in another? >

In AppArmor, we plan to 'containerize' (not sure what to call it) policy so that you can have an AppArmor policy per container. This is not currently the case, it is just the direction we want to go. We think it would be very useful for virtual hosts to be able to have their own AppArmor policy, independent of what other hosts are doing. The major step towards this goal so far is that AppArmor rules are now canonicalized to the name space. However, I have never considered the idea of separate LSM modules per container. The idea doesn't really make sense to me. It is kind of like asking for private device drivers, or even a private kernel, per name space. If that's what you want, use virtualization like KVM, Xen, or VMware. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Itanium. Vista. GPLv3. Complexity at work -

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Maciej Rutecki	[2.6.26.*] boot problem (ahci/irq related?)
Chuck Ebbert	Why do so many machines need "noapic"?
Tony Lindgren	[PATCH 32/90] ARM: OMAP: Basic support for siemens sx1
Renato S. Yamane	Error -71 on device descriptor read/all
git:
Francis Moreau	What about git cp ?
Elijah Newren	Trying to use git-filter-branch to compress history by removing large, obsolete bi...
James B. Byrne	GiT and CentOS 5.2
Matthieu Moy	git push to a non-bare repository
openbsd-misc:
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Jim Razmus	Re: Trouble ticket system suggestions
Calomel	Re: Light HTTP servers.
Brian Keefer	Re: Testing in a virtual environment
linux-netdev:
Matt Mackall	[PATCH] Stop scaring users with "treason uncloaked!"
Kunsheng Chen	Is there any function similar to inet_ntoa() in Kernel or NetFilter ?
Saverio Mascolo	TCP default congestion control in linux should be newreno
Johann Baudy	[PATCH] Packet socket: mmapped IO: PACKET_TX_RING


Calling functions from system call	7 hours ago	Linux kernel
drivers for motherboard d101ggc	14 hours ago	Linux general
Tune CFS for htpc usage to decoding HD 1080p x264 video streams	1 day ago	Linux kernel
How to write in kernel memory	1 day ago	Linux kernel
linux_wrappers.c:306: error: unknown field ‘nopage’ specified in initializer	1 day ago	Linux kernel
Packet Replay Check	1 day ago	FreeBSD
Cannot rdr from internal network to a squid proxy running on pf bridge firewall.	1 day ago	OpenBSD
Cannot compile kernel modules	1 day ago	Linux kernel
Intelligent enclosure (SES, SAF-TE) monitoring & configuration	3 days ago	Applications and Utilities
I/O operations	4 days ago	Linux kernel

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

Online users