On Wed, Jul 29, 2015 at 6:13 PM, Lukasz Pawelczyk <havner@xxxxxxxxx> wrote: > With this namespace you delegate part of CAP_MAC_ADMIN privilege to an > unprivileged user (as with any other namespace). Ok, maybe the part in the brackets is an overstatement. Mostly with namespaces you create a full abstraction of some object and give user priviledges to that object (e.g. uts structure, network interfaces, with UTS and NET namespaces, etc). This is rather not possible with Smack, as being a security module it has to retain its core security paradigm. It cannot be a separate LSM within a host LSM (remember the part about changing process own label and changing any other object label, mostly a file). So Smack namespace really as I see it has big analogy to user namespace. You cannot abstract UIDs completely in a namespace as those UIDs do live in a host as well. If you want to have some capabilities over them, admin has to agree to that explicitly. Thanks, Lukasz _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.