On 2/23/2011 12:55 PM, Eric W. Biederman wrote: > Casey Schaufler <casey@xxxxxxxxxxxxxxxx> writes: > >> I confess that I remain less well educated on namespaces than >> I probably should be, but with what I do know it seems that the >> relationships between user namespaces and LSMs are bound to be >> strained from the beginning. Some LSMs (SELinux and Smack) are >> providing similar sandbox capabilities to what you get from user >> namespaces, but from different directions and with different >> use cases. > Casey I won't argue about the possibility of things being strained, but > I think if we focus on the semantics and not on the end goal of exactly > how the pieces are to be used there can be some reasonable dialog. I'm sure that there will be cases where they will work together like horses in a troika. Making sensible semantics for the interactions is key, and it is entirely possible that in some cases a comparison of semantics and behaviors will lead an end user to chose either an LSM or namespaces over the combination. Just like I expect that even when we allow multiple LSMs the SELinux and Smack combination will be rare among the sane. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
