Quoting Dwight Engen (dwight.en...@oracle.com): > On Wed, 25 Sep 2013 17:25:13 -0500 > Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > > Quoting Dwight Engen (dwight.en...@oracle.com): > > > Currently, a maximum of one LSM within LXC will be initialized and > > > used. If in the future stacked LSMs become a reality, we can > > > support it without changing the configuration syntax and add > > > support for more than a single LSM at a time to the lsm code. > > > > > > Generic LXC code should note that lsm_process_label_set() will take > > > effect "now" for AppArmor, and upon exec() for SELinux. > > > > Ah, that's right, lxc-attach doesn't always exec a new task, right? > > So that's where the selinux behavior may be a problem. > > Right, thats what I was trying to get at with the whole "different > semantics" thing. Sorry I couldn't clearly explain that before. > lxc-attach works fine on selinux as long as you run a program, but just > doing a function will not be in the new context. I don't think there is > a way to support that in selinux.
Ok, now i remember (after looking through selinux/hooks.c) - you can use /proc/pid/attr/current to effect an immediate context switch if you have the setcurrent permission to the new domain. I think the sanest thing to do would be to use the normal behavior when possible, then use setcurrent only when doing an attach of a function. -serge ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
