Re: Preferred subj= with multiple LSMs
On Tue, Jul 16, 2019 at 6:18 PM Casey Schaufler <casey(a)schaufler-ca.com> wrote:
It sounds as if some variant of the Hideous format:
subj=selinux='a:b:c:d',apparmor='z'
subj=selinux/a:b:c:d/apparmor/z
subj=(selinux)a:b:c:d/(apparmor)z
would meet Steve's searchability requirements, but with significant
parsing performance penalties.
I think "hideous format" sums it up nicely. Whatever we choose here
we are likely going to be stuck with for some time and I'm near to
100% that multiplexing the labels onto a single field is going to be a
disaster.
--
paul moore
www.paul-moore.com