On 1/10/2013 4:46 PM, Eric W. Biederman wrote: > John Johansen <john.johansen@xxxxxxxxxxxxx> writes: > >> On 01/09/2013 05:28 AM, James Morris wrote: >>> On Tue, 8 Jan 2013, John Johansen wrote: >>> >>>>> I'd say we need to see the actual use-case for Smack and Apparmor being >>>>> used together, along with at least one major distro committing to support >>>>> this. >>>>> >>>>> >>>> Ubuntu is very interested in stacking >>> Which modules? >>> >> Well Yama which has now been special cased, and in the past there has been >> discussion about other special case LSMs like case is proposing for module >> loading. There has been interest around both selinux + apparmor and >> smack + apparmor. I am not sure of all of the use cases that have lead to >> such question but some of them have been around containers, with say >> selinux on the host and apparmor in the container, or visa versa. > When a distro is run in a container it is desirable to be able to run > the distro's security policy in that container. Ideally this will get > addressed by being able to do some level of per user namespace stacking. > Say selinux outside and apparmor inside a container. > > I think this would take a little more work than what Casey has currently > devised but I am hopeful an additional layer of stacking can be added > after Casey has merged the basic layer of stacking. Would that be per-container LSM lists? I hadn't thought about doing that, and don't know how you might implement it, but I suppose it could work. > > Eric > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
