Re: [RFC] Virtualization steps

From: Chris Wright
Date: Thu Mar 30 2006 - 13:50:28 EST

Next message: Paolo Ciarrocchi: "No automount of USB stick with latest kernel"
Previous message: linux-os (Dick Johnson): "Re: Float numbers in module programming"
In reply to: Eric W. Biederman: "Re: [RFC] Virtualization steps"
Next in thread: Eric W. Biederman: "Re: [RFC] Virtualization steps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Serge E. Hallyn (serue@xxxxxxxxxx) wrote:
> Quoting Chris Wright (chrisw@xxxxxxxxxxxx):
> > This is all fine. The question is whether this is a policy management
> > issue or a kernel infrastructure issue. So far, it's not clear that this
> > really necessitates kernel infrastructure changes to support container
> > aware policies to be loaded by physical host admin/owner or the virtual
> > host admin. The place where it breaks down is if each virtual host
> > wants not only to control its own policy, but also its security model.
>
> What do you define as 'policy', and how is it different from the
> security model?

Model, as in TE, RBAC, or something trivially simple ala Openwall type
protection. Policy, as in rules to drive the model.

> Second, we might want container admins to insert LSMs.

I think we can agree that this way lies madness.

thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paolo Ciarrocchi: "No automount of USB stick with latest kernel"
Previous message: linux-os (Dick Johnson): "Re: Float numbers in module programming"
In reply to: Eric W. Biederman: "Re: [RFC] Virtualization steps"
Next in thread: Eric W. Biederman: "Re: [RFC] Virtualization steps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]