Casey Schaufler <casey@xxxxxxxxxxxxxxxx> writes: > On 2/23/2011 12:55 PM, Eric W. Biederman wrote: >> Casey Schaufler <casey@xxxxxxxxxxxxxxxx> writes: >> >>> I confess that I remain less well educated on namespaces than >>> I probably should be, but with what I do know it seems that the >>> relationships between user namespaces and LSMs are bound to be >>> strained from the beginning. Some LSMs (SELinux and Smack) are >>> providing similar sandbox capabilities to what you get from user >>> namespaces, but from different directions and with different >>> use cases. >> Casey I won't argue about the possibility of things being strained, but >> I think if we focus on the semantics and not on the end goal of exactly >> how the pieces are to be used there can be some reasonable dialog. > > I'm sure that there will be cases where they will work together > like horses in a troika. Making sensible semantics for the interactions > is key, and it is entirely possible that in some cases a comparison > of semantics and behaviors will lead an end user to chose either an > LSM or namespaces over the combination. Just like I expect that even > when we allow multiple LSMs the SELinux and Smack combination will be > rare among the sane. That sounds about right. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
