On Thu, Oct 05, 2017 at 10:06:55AM -0400, Stephen Smalley wrote:
> On Thu, 2017-10-05 at 00:47 -0500, Serge E. Hallyn wrote:
> > On Mon, Oct 02, 2017 at 11:58:19AM -0400, Stephen Smalley wrote:
> > > The selinux netlink socket is used to notify userspace of changes
> > > to
> > > the enforcing mode
On Fri, 2017-10-06 at 14:24 -0500, Serge E. Hallyn wrote:
> Quoting Stephen Smalley (s...@tycho.nsa.gov):
> > On Fri, 2017-10-06 at 12:07 +1100, James Morris wrote:
> > > On Mon, 2 Oct 2017, Stephen Smalley wrote:
> > >
> > > > This change presumes that one will always unshare the network
> > > >
Quoting Stephen Smalley (s...@tycho.nsa.gov):
> On Fri, 2017-10-06 at 12:07 +1100, James Morris wrote:
> > On Mon, 2 Oct 2017, Stephen Smalley wrote:
> >
> > > This change presumes that one will always unshare the network
> > > namespace
> > > when unsharing a new selinux namespace (the reverse is
On Fri, 2017-10-06 at 12:07 +1100, James Morris wrote:
> On Mon, 2 Oct 2017, Stephen Smalley wrote:
>
> > This change presumes that one will always unshare the network
> > namespace
> > when unsharing a new selinux namespace (the reverse is not
> > required).
> > Otherwise, the same inconsistencie
On Mon, 2 Oct 2017, Stephen Smalley wrote:
> This change presumes that one will always unshare the network namespace
> when unsharing a new selinux namespace (the reverse is not required).
> Otherwise, the same inconsistencies could arise between the notifications
> and the relevant policy. At pr
On Thu, 2017-10-05 at 10:06 -0400, Stephen Smalley wrote:
> On Thu, 2017-10-05 at 00:47 -0500, Serge E. Hallyn wrote:
> > On Mon, Oct 02, 2017 at 11:58:19AM -0400, Stephen Smalley wrote:
> > > The selinux netlink socket is used to notify userspace of changes
> > > to
> > > the enforcing mode and po
On Thu, 2017-10-05 at 00:47 -0500, Serge E. Hallyn wrote:
> On Mon, Oct 02, 2017 at 11:58:19AM -0400, Stephen Smalley wrote:
> > The selinux netlink socket is used to notify userspace of changes
> > to
> > the enforcing mode and policy reloads. At present, these
> > notifications
> > are always se
On Mon, Oct 02, 2017 at 11:58:19AM -0400, Stephen Smalley wrote:
> The selinux netlink socket is used to notify userspace of changes to
> the enforcing mode and policy reloads. At present, these notifications
> are always sent to the initial network namespace. In order to support
> multiple selin
The selinux netlink socket is used to notify userspace of changes to
the enforcing mode and policy reloads. At present, these notifications
are always sent to the initial network namespace. In order to support
multiple selinux namespaces, each with its own enforcing mode and
policy, we need to cr
