Jamie Nguyen wrote: > Tetsuo Handa wrote: > > Jamie Nguyen wrote: > >> Just to make sure we understand each other, do I understand correctly > >> that you want to remove "initialize_domain" directive and replace with > >> "initialize_namespace"? Or do you intend them to exist together? > > > > I won't remove "initialize_domain" directive. > > "initialize_domain" and "initialize_namespace" directives coexist. > > This was the root of my misunderstanding! I was falsely under the > impression that you wanted to replace "initialize_domain", but since > this is not the case, namespaces can indeed be ignored by users that > don't need it. Great!
Sorry for making you confused. I meant to say that using "initialize_namespace" is convenient for most cases for policy developers than using "initialize_domain" because they can develop policy without worrying conflicts for domain_policy exception_policy profile and manager. > All the changes look very good to me. I am guessing that you are > proposing that each namespace will have it's own exception_policy.conf > ? Yes. Each namespace will have its own domain_policy.conf exception_policy.conf profile.conf and manager.conf . That's a problem, for we need to consider about userland policy directory layout. For /proc/ccs/ directory, we don't need to create domain_policy exception_policy profile and manager for each namespace because we can switch namespace to read from or write to by writing "namespace $namespace" line. But for /etc/ccs/policy/ directory, I think we want to split files for each namespace. Well, technically it has no problem with concatenating domain_policy-kernel.conf and domain_policy-apache.conf like # domain policy for <kernel> namespace follows. # domain policy for <apache> namespace follows. because the first word in a line (e.g. <kernel> and <apache> ) can serve as namespace separator. But for (e.g.) exception_policy-kernel.conf and exception_policy-apache.conf , can we accept concatenated format like namespace <kernel> # exception policy for <kernel> namespace follows. namespace <apache> # exception policy for <apache> namespace follows. which makes it impossible to use existing commands like /bin/sort ? But if we split exception_policy.conf for each namespace, both exception_policy-$namespace.conf and $namespace/exception_policy.conf are bad if we accept / in $namespace . Oliver, how do you want to have policy files for each LXC environment? Concatenated single file or separated multiple files? _______________________________________________ tomoyo-dev-en mailing list tomoyo-dev-en@lists.sourceforge.jp http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en
