On Tue, 31 Oct 2017, Stephen Smalley wrote: > This btw would be a bit cleaner if we dropped the .ns. portion of the > name, such that we would have: > security.selinux # xattr name in the init namespace > security.selinux.vmN # xattr name in the vmN namespace > security.selinux.vmN.vmM # xattr name in the vmN.vmM namespace Ok, just to clarify, the namespace name in the last example is "vmN.vmM", not "vmM" ? i.e. the namespaces are always hierarchical, and the security labels are identified by that hierarchy. If you enter vmM from the init namespace, for example, the security labels for it are distinct from the labels under vmN. On disk, you would have both: security.selinux.vmM security.selinux.vmN.vmM which are independent. Each of these instances would potentially inherit different labels, and have different provenance characteristics, so this seems necessary in any case. -- James Morris <james.l.morris@xxxxxxxxxx>
