On Fri, Oct 10, 2025 at 9:59 AM Stephen Smalley <[email protected]> wrote: > > 2. The SELinux namespaces support [1], [2] is based on instantiating a > separate selinuxfs instance for each namespace; you load a policy for > a namespace by mounting a new selinuxfs instance after unsharing your > SELinux namespace and then write to its /sys/fs/selinux/load > interface, only affecting policy for the new namespace. Your interface > doesn't appear to support such an approach and IIUC will currently > always load the init SELinux namespace's policy rather than the > current process' SELinux namespace.
I'm distracted on other things at the moment, but my current thinking is that while policy loading and namespace management APIs are largely separate, there is some minor overlap when it comes to loading policy as others have mentioned. For that reason, I think we need to resolve the namespace API first, keeping in mind the potential for a policy load API, and then implement the policy loading API, if desired. -- paul-moore.com
