On Mon, 2 Oct 2017, Stephen Smalley wrote: > Move the access vector cache (AVC) into the selinux namespace > structure and pass it explicitly to all AVC functions. The > AVC private state is encapsulated in a selinux_avc structure > that is allocated and freed by the AVC during selinux namespace > creation and destruction. > > This is necessary to support multiple selinux namespaces since > the AVC caches state (e.g. SIDs, policy sequence number) that > is maintained and provided by the security server on a per-namespace > basis.
What about per-namespace AVC stats? At the moment, it seems that the stats for all AVCs are combined in the existing percpu stats, which could be confusing for someone trying to tune the host or a guest, as the hash stats & config are per-namespace. Also, a user likely wants to see only their own AVC stats generally. -- James Morris <jmor...@namei.org>
