I guess I'm late. (2011/05/02 6:57), Tetsuo Handa wrote: > Jamie Nguyen wrote: >> Tetsuo Handa wrote: >>> Jamie Nguyen wrote: >>>> Just to make sure we understand each other, do I understand correctly >>>> that you want to remove "initialize_domain" directive and replace with >>>> "initialize_namespace"? Or do you intend them to exist together? >>> >>> I won't remove "initialize_domain" directive. >>> "initialize_domain" and "initialize_namespace" directives coexist. >> >> This was the root of my misunderstanding! I was falsely under the >> impression that you wanted to replace "initialize_domain", but since >> this is not the case, namespaces can indeed be ignored by users that >> don't need it. Great! > > Sorry for making you confused. I meant to say that using > "initialize_namespace" > is convenient for most cases for policy developers than using > "initialize_domain" > because they can develop policy without worrying conflicts for domain_policy > exception_policy profile and manager.
My understanding of initialize_domain is resetting the domain, which occurs in the existing "namespace". Personally, I prefer the new directive for "namespace" to imply creating/changing to a different "namespace". For example, change_namespace or transit_namespace, instead of initialize_namespace (I can live with initialize_namespace, though). >> All the changes look very good to me. I am guessing that you are >> proposing that each namespace will have it's own exception_policy.conf >> ? > > Yes. Each namespace will have its own domain_policy.conf exception_policy.conf > profile.conf and manager.conf . That's a problem, for we need to consider > about > userland policy directory layout. For /proc/ccs/ directory, we don't need to > create domain_policy exception_policy profile and manager for each namespace > because we can switch namespace to read from or write to by writing > "namespace $namespace" line. But for /etc/ccs/policy/ directory, I think we > want to split files for each namespace. Well, technically it has no problem > with concatenating domain_policy-kernel.conf and domain_policy-apache.conf > like > > # domain policy for<kernel> namespace follows. > # domain policy for<apache> namespace follows. > > because the first word in a line (e.g.<kernel> and<apache> ) can > serve as namespace separator. But for (e.g.) exception_policy-kernel.conf and > exception_policy-apache.conf , can we accept concatenated format like > > namespace<kernel> > # exception policy for<kernel> namespace follows. > namespace<apache> > # exception policy for<apache> namespace follows. > > which makes it impossible to use existing commands like /bin/sort ? > > But if we split exception_policy.conf for each namespace, > both exception_policy-$namespace.conf and $namespace/exception_policy.conf > are bad if we accept / in $namespace . > > Oliver, how do you want to have policy files for each LXC environment? > Concatenated single file or separated multiple files? -- Toshiharu Harada harad...@nttdata.co.jp _______________________________________________ tomoyo-dev-en mailing list tomoyo-dev-en@lists.sourceforge.jp http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en
