Re: [PATCH v2 4/5] selinux: Use pointer to switch policydb and sidtab

2018-02-07 Thread peter enderborg
On 01/30/2018 03:37 PM, Stephen Smalley wrote: > On Fri, 2018-01-26 at 15:32 +0100, peter.enderb...@sony.com wrote: > goto err; > > - rc = security_preserve_bools(newpolicydb); > + rc = security_preserve_bools(_rcu->policydb); > if (rc) { > printk(KERN_ERR "SELinux:

Does selinux work with kernel namespaces?

2018-02-07 Thread Matt Callaway
Hello, I am attempting to run Docker on CentOS 7.4 with selinux and kernel namespaces enabled. When I do so I observe an error that leads me to an issue filed in github and a kernel patch that suggests that the cause should be fixed in kernel 4.11+. Yet I cannot run docker containers in this

Re: [RFC 01/10] selinux: introduce a selinux namespace

2018-02-07 Thread Paul Moore
On Wed, Feb 7, 2018 at 12:48 PM, Stephen Smalley wrote: > On Tue, 2018-02-06 at 17:18 -0500, Paul Moore wrote: ... >> While I don't think we need to tackle this as part of the >> encapsulation work, this is another reminder that we should look into >> breaking the separation

Re: [RFC 01/10] selinux: introduce a selinux namespace

2018-02-07 Thread Stephen Smalley
On Tue, 2018-02-06 at 17:18 -0500, Paul Moore wrote: > On Mon, Oct 2, 2017 at 11:58 AM, Stephen Smalley > wrote: > > Define a selinux namespace structure (struct selinux_ns) > > for SELinux state and pass it explicitly to all security server > > functions. The public portion

Re: [RFC 01/10] selinux: introduce a selinux namespace

2018-02-07 Thread Paul Moore
On Tue, Feb 6, 2018 at 5:18 PM, Paul Moore wrote: > On Mon, Oct 2, 2017 at 11:58 AM, Stephen Smalley wrote: >> Define a selinux namespace structure (struct selinux_ns) >> for SELinux state and pass it explicitly to all security server >> functions. The