Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754818AbXJHVvU (ORCPT ); Mon, 8 Oct 2007 17:51:20 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753465AbXJHVvM (ORCPT ); Mon, 8 Oct 2007 17:51:12 -0400 Received: from mail8.dotsterhost.com ([66.11.233.1]:42334 "HELO mail8.dotsterhost.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1753462AbXJHVvL (ORCPT ); Mon, 8 Oct 2007 17:51:11 -0400 Message-ID: <470AA64E.2000807@crispincowan.com> Date: Mon, 08 Oct 2007 14:51:10 -0700 From: Crispin Cowan Organization: Crispin's Labs User-Agent: Thunderbird 1.5 (X11/20060317) MIME-Version: 1.0 To: "Eric W. Biederman" CC: "Serge E. Hallyn" , Kyle Moffett , Linus Torvalds , Bill Davidsen , Stephen Smalley , James Morris , Andrew Morton , casey@schaufler-ca.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel References: <4702B1D5.5050502@tmr.com> <4703126D.70703@tmr.com> <15E46546-914A-4A1E-BB0B-642FDA17396B@mac.com> <20071008160611.GA7106@vino.hallyn.com> <20071008180038.GC7106@vino.hallyn.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1237 Lines: 29 Eric W. Biederman wrote: > My very practical question: How do I run selinux in one container, > and SMACK in another? > In AppArmor, we plan to 'containerize' (not sure what to call it) policy so that you can have an AppArmor policy per container. This is not currently the case, it is just the direction we want to go. We think it would be very useful for virtual hosts to be able to have their own AppArmor policy, independent of what other hosts are doing. The major step towards this goal so far is that AppArmor rules are now canonicalized to the name space. However, I have never considered the idea of separate LSM modules per container. The idea doesn't really make sense to me. It is kind of like asking for private device drivers, or even a private kernel, per name space. If that's what you want, use virtualization like KVM, Xen, or VMware. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Itanium. Vista. GPLv3. Complexity at work - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/