On Thu, Jan 7, 2016 at 4:19 PM, Stephen Smalley <[email protected]> wrote: > On 01/07/2016 03:36 PM, Nicolas Iooss wrote: >> >> Hello, >> >> Since Linux 3.19 targets of /proc/PID/ns/* symlinks have lived in a fs >> separated from /proc, named nsfs [1]. These targets are used to enter >> the namespace of another process by using setns() syscall [2]. On old >> kernels, they were labeled with procfs default type (for example >> "getfilecon /proc/self/ns/uts" returned system_u:object_r:proc_t:s0). >> When using a recent kernel with a policy without nsfs support, the >> inodes are not labeled, as reported for example in Fedora bug #1234757 >> [3]. As I encounter this issue on my systems, I asked yesterday on the >> refpolicy ML how nsfs inodes should be labeled [4]. >> >> After digging a little bit about the possibilities, here is a summary of >> the options I have considered so far. >> >> Option 1: define a new type to label nsfs inodes, nsfs_t. This works as >> expected (c.f. [5] for more details) ... > > Only option 1 makes sense to me.
Agreed. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
