John Johansen <john.johansen@xxxxxxxxxxxxx> writes: >> When a distro is run in a container it is desirable to be able to run >> the distro's security policy in that container. Ideally this will get >> addressed by being able to do some level of per user namespace stacking. >> Say selinux outside and apparmor inside a container. >> >> I think this would take a little more work than what Casey has currently >> devised but I am hopeful an additional layer of stacking can be added >> after Casey has merged the basic layer of stacking. >> > Right the general case will take more, but doing things like selinux on > the outside and apparmor inside are doable right now. And we are working > on supporting stacked apparmor policy right now so apparmor outside and > a different apparmor policy inside will be doable soon. Cool. For stacked apparmor how are you deciding which tasks get which policy? Is this based on user namespaces or something else? Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
