Quoting James Morris (jmorris@xxxxxxxxx): > On Mon, 2 Oct 2017, Stephen Smalley wrote: > > > An alternative would be to hang the selinux namespace off of the > > user namespace, which itself is associated with the cred. This > > seems undesirable however since DAC and MAC are orthogonal, and > > there appear to be real use cases where one will want to use selinux > > namespaces without user namespaces and vice versa. > > Indeed, an Oracle use-case is for privileged containers and for this MAC > must remain separate. Will that always be the case? Is that to allow (selinux-confined) device administration from containers?
