Oops, forgot to reply to all (I wish gmail would remind me!). Forwarding to Oliver also.
---------- Forwarded message ---------- From: Jamie Nguyen <ja...@tomoyolinux.co.uk> Date: 1 May 2011 23:47 Subject: Re: [tomoyo-dev-en 208] Re: About supporting policy namespace. To: tomoyo-dev-en@lists.sourceforge.jp Tetsuo Handa wrote: > Yes. Each namespace will have its own domain_policy.conf exception_policy.conf > profile.conf and manager.conf . That's a problem, for we need to consider > about > userland policy directory layout. For /proc/ccs/ directory, we don't need to > create domain_policy exception_policy profile and manager for each namespace > because we can switch namespace to read from or write to by writing > "namespace $namespace" line. But for /etc/ccs/policy/ directory, I think we > want to split files for each namespace. Well, technically it has no problem > with concatenating domain_policy-kernel.conf and domain_policy-apache.conf > like > > # domain policy for <kernel> namespace follows. > # domain policy for <apache> namespace follows. > > because the first word in a line (e.g. <kernel> and <apache> ) can > serve as namespace separator. But for (e.g.) exception_policy-kernel.conf and > exception_policy-apache.conf , can we accept concatenated format like > > namespace <kernel> > # exception policy for <kernel> namespace follows. > namespace <apache> > # exception policy for <apache> namespace follows. > > which makes it impossible to use existing commands like /bin/sort ? > > But if we split exception_policy.conf for each namespace, > both exception_policy-$namespace.conf and $namespace/exception_policy.conf > are bad if we accept / in $namespace . Personally, I think splitting is much more preferable than concatenating. If for example many namespaces are being used (e.g. >5), this is much more easily manageable in separate files than within a single concatenated file. Do you think it is a problem to disallow "/" in $namespace ? Also, I much prefer "/etc/ccs/$namespace/exception_policy.conf" rather than "/etc/ccs/exception_policy-$namespace.conf". If we use exception_policy-$namespace.conf, then things can get rather messy when many namespaces are used. Also, if we do use a different directory for $namespace, then I suppose "/etc/ccs/policy/current" can include further subdirectories for each namespace, for example "/etc/ccs/policy/current/apache". Proposed layout looks like this: # ls -R /etc/ccs apache/ ccs-load-module domain_policy.conf exception_policy.conf manager.conf policy/ profile.conf stat.conf tools/ /etc/ccs/apache: domain_policy.conf exception_policy.conf manager.conf profile.conf /etc/ccs/policy: 11-05-01.09:32:47/ 11-05-01.15:41:01/ current previous /etc/ccs/policy/11-05-01.09:32:47: domain_policy.conf exception_policy.conf manager.conf profile.conf /etc/ccs/policy/11-05-01.15:41:01: apache/ domain_policy.conf exception_policy.conf manager.conf profile.conf /etc/ccs/policy/11-05-01.15:41:01/apache: domain_policy.conf exception_policy.conf manager.conf profile.conf /etc/ccs/tools: auditd.conf editpolicy.conf notifyd.conf patternize.conf What do you think? > Oliver, how do you want to have policy files for each LXC environment? > Concatenated single file or separated multiple files? Yes, it would be good to get opinions of users that use namespaces on a regular basis. _______________________________________________ tomoyo-dev-en mailing list tomoyo-dev-en@lists.sourceforge.jp http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en
