[Devel] Re: [PATCH 1/1] cr: lsm: restore LSM contexts for ipc objects

Casey Schaufler casey at schaufler-ca.com
Mon Jun 22 20:10:33 PDT 2009


Stephen Smalley wrote:
> On Mon, 2009-06-22 at 12:50 -0500, Serge E. Hallyn wrote:
>   
>> Quoting Stephen Smalley (sds at epoch.ncsc.mil):
>>     
>>> Not sure you need to cache them in the cr layer (vs. just using the
>>> mapping functions provided by the LSM hook interface, and letting the
>>> security module handle caching internally).
>>>       
>> Do I understand correctly that secids are supposed to be consistent
>> across machines and reboots, but not across policy versions?
>>     
>
> No, secids are temporal - they are dynamically allocated at runtime like
> file descriptors.  You should only store security contexts in the
> images.
>   

Like he said. Smack would be happier if secid's went away, but
there's too much left over from the era when SELinux was the only
LSM for that to happen without crying and gnashing of teeth. A
secid is good only for the current invocation of the current
instance of the kernel.
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list