Eric W. Biederman wrote: > My very practical question: How do I run selinux in one container, > and SMACK in another? > In AppArmor, we plan to 'containerize' (not sure what to call it) policy so that you can have an AppArmor policy per container. This is not currently the case, it is just the direction we want to go. We think it would be very useful for virtual hosts to be able to have their own AppArmor policy, independent of what other hosts are doing.
The major step towards this goal so far is that AppArmor rules are now canonicalized to the name space. However, I have never considered the idea of separate LSM modules per container. The idea doesn't really make sense to me. It is kind of like asking for private device drivers, or even a private kernel, per name space. If that's what you want, use virtualization like KVM, Xen, or VMware. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Itanium. Vista. GPLv3. Complexity at work - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
