On Tue, Dec 15, 2015 at 2:09 PM, Joe Nall <joe@xxxxxxxx> wrote: >> On Dec 15, 2015, at 12:03 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> Are you patching the kernel to support > 4K contexts? >> Otherwise, I'd expect you run up against the proc and selinuxfs API limitations (page size) and/or the filesystem xattr storage limitations (block size). > > No. The example was a contrived example of what is possible within the format. We use a couple of 2500 byte labels in formal test these days to make sure that we don't have an OS regression. I just get tired of code like this in openswan: > > #ifdef HAVE_LABELED_IPSEC > /* security label length should not exceed 256 in most cases, > * (discussed with kernel and selinux people). > */ > #define MAX_SECCTX_LEN 257 /* including '\0'*/ So let's just get rid of labeled IPsec ... show of hands? ;) -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
