On Wed, Feb 16, 2022 at 7:52 AM Igor Baranov <igor.baranov@xxxxxxxxxx> wrote: > > Hi all! > Our team at Huawei decided to revive the work on SELinux namespaces. > We took https://github.com/stephensmalley/selinux-kernel/tree/working-selinuxns > as a basis with some patches from selinuxns-xattr. Hello! For reference there is a *slightly* more recent forward port of those patches in the main SELinux repo under the working-selinuxns branch. I haven't forward ported those patches since v5.10-rc1 as there are some rather significant technical hurdles around persistent object labeling which I don't believe have been adequately resolved yet. The prefixed/namespaces xattr approach that you mention above may work for a limited number of namespaces, but I worry there is a scalability issue that needs to be resolved; we can't simply keep adding xattrs to inodes. * https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git Also, are there rest of your patches online anywhere? Patch 1/1 isn't very interesting on its own. -- paul-moore.com
