Just a clarification, from my previous email: > 3. (expcetion #2) About the: "Without the host admin doing anything.". > With this namespace you delegate part of CAP_MAC_ADMIN privilege to an > unprivileged user (as with any other namespace). There is now way that > this will not involve host admin. What I meant is: "There is NO way that this will not involve host admin." Typo, sorry. On Wed, Jul 29, 2015 at 6:37 PM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote: > Ok, I'm hoping to discuss this with Casey at LSS. I assume there will > be reasons why what I want is simply not possible, but I'd like to give > it a shot :) > > One way around this might be to let the host admin say: > > create smack labels c1_a1..c1_aN. Map them into the container in a > way such that they have no name in the container yet. > > Now when container admin says "create mysql_t", so long as there is > a not-yet-named mapped label, c1-aM, it gets mapped to the new name. This by itself like I said would theoretically be possible (without the "no admin intervention" and "modifying rules" parts). You mark the container prefixed with something, let's say with "C1". Now any new label you create inside a namespace will get automatic (implicit) mapping: C1-label -> label Casey disliked the idea for these reasons (there was actually more then one as I remember now): 1. What I said previously about special meaning for labels. The real host label C1-label has a meaning now. 2. Labels have a specific max length. By prefixing them we reduce that length, and it is pressumed to be true in several parts of the code. 3. This mechanic allows users to import labels, and as Smack doesn't free or reuse them this is potentially DOS surface. Granted this is technical limitation only that could be remedied at some point, but for now the assumption that labels are not destroyed is taken advantage of in several parts of the code to simplify the implementation of Smack itself. (Mappings and mapped label structures are freed with the end of life of user namespace). > One hurdle to overcome there, of course, is how to reproduce that > mapping the next time we create this container. The name of the real label would hold the info (C1-label). > Anyway, if this patchset is simply about making smack work in user_ns > at all, I'll reread with that in mind :) Would appreciate. Thanks, Lukasz _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.