[lxc-devel] [PATCH v2 rebased against github master 9d0cda4f] refactor AppArmor into LSM backend, add SELinux support
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Sep 26 14:40:52 UTC 2013
Quoting Dwight Engen (dwight.engen at oracle.com):
> On Wed, 25 Sep 2013 17:25:13 -0500
> Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>
> > Quoting Dwight Engen (dwight.engen at oracle.com):
> > > Currently, a maximum of one LSM within LXC will be initialized and
> > > used. If in the future stacked LSMs become a reality, we can
> > > support it without changing the configuration syntax and add
> > > support for more than a single LSM at a time to the lsm code.
> > >
> > > Generic LXC code should note that lsm_process_label_set() will take
> > > effect "now" for AppArmor, and upon exec() for SELinux.
> >
> > Ah, that's right, lxc-attach doesn't always exec a new task, right?
> > So that's where the selinux behavior may be a problem.
>
> Right, thats what I was trying to get at with the whole "different
> semantics" thing. Sorry I couldn't clearly explain that before.
> lxc-attach works fine on selinux as long as you run a program, but just
> doing a function will not be in the new context. I don't think there is
> a way to support that in selinux.
Ok, now i remember (after looking through selinux/hooks.c) - you can
use /proc/pid/attr/current to effect an immediate context switch if
you have the setcurrent permission to the new domain.
I think the sanest thing to do would be to use the normal behavior when
possible, then use setcurrent only when doing an attach of a function.
-serge
More information about the lxc-devel
mailing list