On Fri, Jan 20, 2017 at 10:42:43AM +0100, Michal Privoznik wrote:
The current ordering is as follows: 1) set label 2) create the device in namespace 3) allow device in the cgroup While this might work for now, it will definitely not work if the security driver would use transactions as in that case there would be no device to relabel in the domain namespace as the device is created in the second step. Swap steps 1) and 2) to allow security driver to use more transactions.
ACK, makes more sense if I don't read the message =)
Description: Digital signature