On Mon, 2 Oct 2017, Stephen Smalley wrote: > An alternative would be to hang the selinux namespace off of the > user namespace, which itself is associated with the cred. This > seems undesirable however since DAC and MAC are orthogonal, and > there appear to be real use cases where one will want to use selinux > namespaces without user namespaces and vice versa. Indeed, an Oracle use-case is for privileged containers and for this MAC must remain separate. -- James Morris <jmorris@xxxxxxxxx>
