Eric W. Biederman wrote:In AppArmor, we plan to 'containerize' (not sure what to call it) policy so that you can have an AppArmor policy per container. This is not currently the case, it is just the direction we want to go. We think it would be very useful for virtual hosts to be able to have their own AppArmor policy, independent of what other hosts are doing. The major step towards this goal so far is that AppArmor rules are now canonicalized to the name space. However, I have never considered the idea of separate LSM modules per container. The idea doesn't really make sense to me. It is kind of like asking for private device drivers, or even a private kernel, per name space. If that's what you want, use virtualization like KVM, Xen, or VMware. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Itanium. Vista. GPLv3. Complexity at work -
| Maciej Rutecki | [2.6.26.*] boot problem (ahci/irq related?) |
| Chuck Ebbert | Why do so many machines need "noapic"? |
| Tony Lindgren | [PATCH 32/90] ARM: OMAP: Basic support for siemens sx1 |
| Renato S. Yamane | Error -71 on device descriptor read/all |
git: | |
| Francis Moreau | What about git cp ? |
| Elijah Newren | Trying to use git-filter-branch to compress history by removing large, obsolete bi... |
| James B. Byrne | GiT and CentOS 5.2 |
| Matthieu Moy | git push to a non-bare repository |
| GVG GVG | ssh_exchange_identification: Connection closed by remote host |
| Jim Razmus | Re: Trouble ticket system suggestions |
| Calomel | Re: Light HTTP servers. |
| Brian Keefer | Re: Testing in a virtual environment |
| Matt Mackall | [PATCH] Stop scaring users with "treason uncloaked!" |
| Kunsheng Chen | Is there any function similar to inet_ntoa() in Kernel or NetFilter ? |
| Saverio Mascolo | TCP default congestion control in linux should be newreno |
| Johann Baudy | [PATCH] Packet socket: mmapped IO: PACKET_TX_RING |
