On Tue, 2017-10-17 at 13:15 -0400, Steve Grubb wrote: > On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote: > > > > > > > > The idea is that processes spawned into a container would be > > > labelled by the container orchestration system. It's unclear > > > what should happen to processes using nsenter after the fact, but > > > policy for that should be up to the orchestration system. > > > > I'm fine with that. The user space policy can be anything y'all > > like. > > I think there should be a login event. I thought you wanted this for containers? Container creation doesn't have login events. In an unprivileged orchestration system it may be hard to synthetically manufacture them. James
