On Tue, 16 Jul 2019, Paul Moore wrote:
> The subj_X approach is still backwards compatible, the difference is
> that old versions of the tools get a "?" for the LSM creds which is a
> rather sane way of indicating something is different.
This will still break existing userspace, right? We can't
On 7/16/2019 4:13 PM, Paul Moore wrote:
> On Tue, Jul 16, 2019 at 6:18 PM Casey Schaufler
> wrote:
>> It sounds as if some variant of the Hideous format:
>>
>> subj=selinux='a:b:c:d',apparmor='z'
>> subj=selinux/a:b:c:d/apparmor/z
>> subj=(selinux)a:b:c:d/(apparmor)z
>>
>>
On Tue, Jul 16, 2019 at 6:03 PM Richard Guy Briggs wrote:
> On 2019-07-15 17:04, Paul Moore wrote:
> > On Mon, Jul 8, 2019 at 2:06 PM Richard Guy Briggs wrote:
...
> > > If we can't trust ns_capable() then why are we passing on
> > > CAP_AUDIT_CONTROL? It is being passed down and not stripped
On Tue, Jul 16, 2019 at 6:18 PM Casey Schaufler wrote:
> It sounds as if some variant of the Hideous format:
>
> subj=selinux='a:b:c:d',apparmor='z'
> subj=selinux/a:b:c:d/apparmor/z
> subj=(selinux)a:b:c:d/(apparmor)z
>
> would meet Steve's searchability requirements, but
On Tue, Jul 16, 2019 at 5:46 PM Steve Grubb wrote:
> On Tuesday, July 16, 2019 5:25:21 PM EDT Paul Moore wrote:
...
> > Agreed. While I'm not going to be on a specific Linux release, I do
> > believe that at some point in the future the LSM stacking work is
> > going to land in Linus' tree. Pe
On 7/16/2019 2:46 PM, Steve Grubb wrote:
> On Tuesday, July 16, 2019 5:25:21 PM EDT Paul Moore wrote:
>> On Tue, Jul 16, 2019 at 2:41 PM Casey Schaufler
> wrote:
>>> On 7/16/2019 11:06 AM, Steve Grubb wrote:
On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
> On Tue, Jul 16, 201
On 2019-07-15 17:04, Paul Moore wrote:
> On Mon, Jul 8, 2019 at 2:06 PM Richard Guy Briggs wrote:
> > On 2019-05-30 15:29, Paul Moore wrote:
>
> ...
>
> > > [REMINDER: It is an "*audit* container ID" and not a general
> > > "container ID" ;) Smiley aside, I'm not kidding about that part.]
> > >
On Tuesday, July 16, 2019 5:25:21 PM EDT Paul Moore wrote:
> On Tue, Jul 16, 2019 at 2:41 PM Casey Schaufler
wrote:
> > On 7/16/2019 11:06 AM, Steve Grubb wrote:
> > > On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
> > >> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler
> > >>
> > >
On Tue, Jul 16, 2019 at 3:38 PM Richard Guy Briggs wrote:
> On 2019-07-15 16:38, Paul Moore wrote:
> > On Mon, Jul 8, 2019 at 1:51 PM Richard Guy Briggs wrote:
> > > On 2019-05-29 11:29, Paul Moore wrote:
> >
> > ...
> >
> > > > The idea is that only container orchestrators should be able to
> >
On Tue, Jul 16, 2019 at 2:41 PM Casey Schaufler wrote:
> On 7/16/2019 11:06 AM, Steve Grubb wrote:
> > On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
> >> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler
> > wrote:
> >>> On 7/16/2019 10:12 AM, Paul Moore wrote:
> On Mon, Jul 15, 2
On 2019-07-15 16:38, Paul Moore wrote:
> On Mon, Jul 8, 2019 at 1:51 PM Richard Guy Briggs wrote:
> > On 2019-05-29 11:29, Paul Moore wrote:
>
> ...
>
> > > The idea is that only container orchestrators should be able to
> > > set/modify the audit container ID, and since setting the audit
> > >
On 7/16/2019 11:06 AM, Steve Grubb wrote:
> On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
>> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler
> wrote:
>>> On 7/16/2019 10:12 AM, Paul Moore wrote:
On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb wrote:
> On Monday, July 15, 2019 5
On Tuesday, July 16, 2019 1:43:18 PM EDT Paul Moore wrote:
> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler
wrote:
> > On 7/16/2019 10:12 AM, Paul Moore wrote:
> > > On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb wrote:
> > >> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> > >>> On Mo
On 7/16/2019 10:43 AM, Paul Moore wrote:
> On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler
> wrote:
>> On 7/16/2019 10:12 AM, Paul Moore wrote:
>>> On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb wrote:
On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> On Mon, Jul 15, 2019 at 3:37
On Tue, Jul 16, 2019 at 1:30 PM Casey Schaufler wrote:
> On 7/16/2019 10:12 AM, Paul Moore wrote:
> > On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb wrote:
> >> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> >>> On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
> >> wrote:
> On 7/15
On 7/16/2019 10:12 AM, Paul Moore wrote:
> On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb wrote:
>> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
>>> On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
>> wrote:
On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
> On 2019-07-13 11:08,
On 7/16/2019 9:14 AM, Steve Grubb wrote:
> On Tuesday, July 16, 2019 12:00:05 PM EDT Casey Schaufler wrote:
>>
>> Unless there's an objection I will use this format with
>> a slight modification. Smack allows commas in labels, so
>> using a bare comma can lead to ambiguity.
>>
>> lsms=smack,apparmo
On Mon, Jul 15, 2019 at 6:56 PM Steve Grubb wrote:
> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> > On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
> wrote:
> > > On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
> > > > On 2019-07-13 11:08, Steve Grubb wrote:
...
> > > > Steve's
On Tuesday, July 16, 2019 12:33:30 PM EDT Lenny Bruzenak wrote:
> On 7/16/19 11:14 AM, Steve Grubb wrote:
> > Quoting has a specific meaning in audit fields. So, we really shouldn't
> > do
> > that. We can simply pick another field delimiter. I really don't care
> > which it is as long as its illeg
On 7/16/19 11:14 AM, Steve Grubb wrote:
> Quoting has a specific meaning in audit fields. So, we really shouldn't do
> that. We can simply pick another field delimiter. I really don't care which
> it
> is as long as its illegal for use in a label. For example, we use
>
> #define AUDIT_KEY_SEPA
On 2019-07-16 12:08, Paul Moore wrote:
> On Tue, Jul 16, 2019 at 11:37 AM Richard Guy Briggs wrote:
> > On 2019-07-15 17:09, Paul Moore wrote:
> > > On Mon, Jul 8, 2019 at 2:12 PM Richard Guy Briggs wrote:
> > > > On 2019-05-30 19:26, Paul Moore wrote:
> > >
> > > ...
> > >
> > > > > I like the c
On Tuesday, July 16, 2019 12:00:05 PM EDT Casey Schaufler wrote:
> On 7/15/2019 3:55 PM, Steve Grubb wrote:
> > On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
> >> On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
> >
> > wrote:
> >>> On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
> >>
On Tue, Jul 16, 2019 at 11:37 AM Richard Guy Briggs wrote:
> On 2019-07-15 17:09, Paul Moore wrote:
> > On Mon, Jul 8, 2019 at 2:12 PM Richard Guy Briggs wrote:
> > > On 2019-05-30 19:26, Paul Moore wrote:
> >
> > ...
> >
> > > > I like the creativity, but I worry that at some point these
> > > >
On 7/15/2019 3:55 PM, Steve Grubb wrote:
> On Monday, July 15, 2019 5:28:56 PM EDT Paul Moore wrote:
>> On Mon, Jul 15, 2019 at 3:37 PM Casey Schaufler
> wrote:
>>> On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
On 2019-07-13 11:08, Steve Grubb wrote:
> Hello,
>
> On Friday, Ju
On 2019-07-15 17:09, Paul Moore wrote:
> On Mon, Jul 8, 2019 at 2:12 PM Richard Guy Briggs wrote:
> > On 2019-05-30 19:26, Paul Moore wrote:
>
> ...
>
> > > I like the creativity, but I worry that at some point these
> > > limitations are going to be raised (limits have a funny way of doing
> >
25 matches
Mail list logo