On Saturday 15 January 2005 09:13, Alexandre Oliva <aoliva(a)redhat.com> wrote:
In my case, what I used to do was to maintain two or more installs
on
each box, each of them up-to-date, such that, in case I messed up with
the daily-use install (say rawhide), I could go back to a known-good
install (say FC3 or even FC2).
The best thing to do would be to occasionally boot the older system to update
it.
What would be really nice would be if loading a policy into selinux
affected the behavior within that chroot (or rather within the
directory tree accessible from the root at the time of policy load),
SE Linux controls all aspects of system security, including global thing such
as mounting file systems and directly writing to block devices. If the
chroot had a local policy as you suggest then which policy would control
writing to the device node for the boot device?
Something like Xen is what you need. The below URL about Xen and hypervisor
security may interest you.
http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page