> -----Original Message----- > From: Lennart Poettering [mailto:lenn...@poettering.net] > Sent: Tuesday, October 08, 2013 3:17 PM > To: Kok, Auke-jan H > Cc: Zbigniew Jędrzejewski-Szmek; Schaufler, Casey; systemd-devel > Subject: Re: [systemd-devel] [PATCH 2/2] Run with a custom SMACK domain > (label). > > On Mon, 07.10.13 10:30, Kok, Auke-jan H (auke-jan.h....@intel.com) wrote: > > > > Hi, > > > the patches look OK. I dont' have a system with smack support at > > > hand, but I tested them on Fedora, and didn't notice any adverse effects. > > > I you've tested them with smack, then they should be applied, imo. > > > > Thanks, I just applied them myself - I just wanted to give folks a bit > > of time to read and test - so thanks for doing so! > > Hmm, the patches as they are merged now try to mount the SMACK version > of /run and /dev/shm also in containers. Will this work?
So long as the cgroup filesystem propagates the xattrs to and from the real filesystem it won't be a problem. If the cgroup filesystem is not doing that there will be a problem. > > So far (at least for SELinux) we tried to turn off all security layers in > containers, since the policies are not virtualized. I don't know what you mean by "virtualized" in this context. > Due to that it sounds more > appropriate not to mount these SMACK versions in a container. More > specifically, I'd like to remove the MNT_IN_CONTAINER flags from the lines > you just added? That does sound like the safest approach. I would be fine with that. > > Does that make sense to you? > > Lennart > > -- > Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel