On Tue, Dec 15, 2015 at 2:09 PM, Joe Nall <[email protected]> wrote: >> On Dec 15, 2015, at 12:03 PM, Stephen Smalley <[email protected]> wrote: >> Are you patching the kernel to support > 4K contexts? >> Otherwise, I'd expect you run up against the proc and selinuxfs API >> limitations (page size) and/or the filesystem xattr storage limitations >> (block size). > > No. The example was a contrived example of what is possible within the > format. We use a couple of 2500 byte labels in formal test these days to make > sure that we don't have an OS regression. I just get tired of code like this > in openswan: > > #ifdef HAVE_LABELED_IPSEC > /* security label length should not exceed 256 in most cases, > * (discussed with kernel and selinux people). > */ > #define MAX_SECCTX_LEN 257 /* including '\0'*/
So let's just get rid of labeled IPsec ... show of hands? ;) -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
