On Thu, Jan 24, 2008 at 05:48:20PM +0100, Till Maas wrote:
> The main problem is detecting and handling accesses that cross
the
> policy boundary (non-chroot'd process attempts to access file within the
> directory, chroot'd process manages to break out of the chroot and
> attempts to access file outside of chroot).
When there were different "namespaces" for the inner and outer selinux, then
the outer selinux could handle the access trough the chroot bondary using the
normal host namespace and the inner selinux would only handle the access
within the chroot, using its own namespace.
What do you do if the outside namespace wants to label a file
differently than the inner namespace? Create separate namespaces for
the on-disk xattrs?