On Wed, 25 Sep 2013 17:25:13 -0500 Serge Hallyn <serge.hal...@ubuntu.com> wrote:
> Quoting Dwight Engen (dwight.en...@oracle.com): > > Currently, a maximum of one LSM within LXC will be initialized and > > used. If in the future stacked LSMs become a reality, we can > > support it without changing the configuration syntax and add > > support for more than a single LSM at a time to the lsm code. > > > > Generic LXC code should note that lsm_process_label_set() will take > > effect "now" for AppArmor, and upon exec() for SELinux. > > Ah, that's right, lxc-attach doesn't always exec a new task, right? > So that's where the selinux behavior may be a problem. Right, thats what I was trying to get at with the whole "different semantics" thing. Sorry I couldn't clearly explain that before. lxc-attach works fine on selinux as long as you run a program, but just doing a function will not be in the new context. I don't think there is a way to support that in selinux. > -serge ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
