On Fri, 6 Oct 2017, Serge E. Hallyn wrote: > Quoting James Morris (jmorris@xxxxxxxxx): > > On Mon, 2 Oct 2017, Stephen Smalley wrote: > > > > > An alternative would be to hang the selinux namespace off of the > > > user namespace, which itself is associated with the cred. This > > > seems undesirable however since DAC and MAC are orthogonal, and > > > there appear to be real use cases where one will want to use selinux > > > namespaces without user namespaces and vice versa. > > > > Indeed, an Oracle use-case is for privileged containers and for this MAC > > must remain separate. > > Will that always be the case? Is that to allow (selinux-confined) device > administration from containers? It's to provide the user with a full OS experience generally. It's not necessarily the only use-case, though. -- James Morris <jmorris@xxxxxxxxx>
