Re: [RFC][PATCH v2] selinux: support deferred mapping of contexts

On Thu, 1 May 2008, Stephen Smalley wrote:

> the build host with no way to define it).  Or a mechanism for a
> hierarchy of policies (complex, and not clear how to handle objects as
> they may be visible to processes operating under more than one policy,
> e.g. both inside and outside of the chroot).

Indeed, this might be helped by encoding DOIs into labels but would likely 
add lots of complexity and performance overhead.  AFAICT, entities in 
different policy namespaces would need to be totally separated (unless 
purely hierarchical).

- James
--

-- 
James Morris
<jmorris@...>