On 04/16/15 at 04:12pm, Herbert Xu wrote: > On Thu, Apr 16, 2015 at 05:02:15PM +1000, James Morris wrote: > > > > They don't support namespaces, and maintaining the label is critical for > > SELinux, at least, which mediates security for the system as a whole. > > Thanks for the confirmation James, I thought this looked a bit > dodgy :) > > ---8<--- > This patch reverts commit b8fb4e0648a2ab3734140342002f68fb0c7d1602 > because the secmark must be preserved even when a packet crosses > namespace boundaries. The reason is that security labels apply to > the system as a whole and is not per-namespace.
No objection to reverting, _BUT_ just because security labels apply to the system as a whole does not mean that both the packet in the underlay and overlay belong to the same context. The point here was to not blindly inherit the security context of a packet based on the outer or inner header. Someone tagging all packets addressed to the host itself with a SElinux context may not expect that SELinux context to be preserved into a namespaced tenant. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
