Stephen Smalley wrote: > On Mon, 2009-06-22 at 12:50 -0500, Serge E. Hallyn wrote: > >> Quoting Stephen Smalley (sds@xxxxxxxxxxxxxx): >> >>> Not sure you need to cache them in the cr layer (vs. just using the >>> mapping functions provided by the LSM hook interface, and letting the >>> security module handle caching internally). >>> >> Do I understand correctly that secids are supposed to be consistent >> across machines and reboots, but not across policy versions? >> > > No, secids are temporal - they are dynamically allocated at runtime like > file descriptors. You should only store security contexts in the > images. > Like he said. Smack would be happier if secid's went away, but there's too much left over from the era when SELinux was the only LSM for that to happen without crying and gnashing of teeth. A secid is good only for the current invocation of the current instance of the kernel. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
