On Sat, 08 Jan 2005 21:55:07 PST, Bob Kashani said:
When I install the selinux-policy-targeted rpm in a chroot it seems
that
load_policy is executed and loads the policy that's installed in the
chroot into the running kernel (I'm assuming via %post). Should
installing the selinux-policy-targeted rpm in a chroot allow this to
happen? What if you're installing a policy into the chroot that's
different than the one you have installed on your system? Is there a way
to not allow load_policy to execute in a chroot?
In general, there's not much way to distinguish "in a chroot". The
"SELinux Way"
to address this is to make sure that all files on the system that can legitimately
be loaded as policy are flagged with a context that allows loading them. If
there's nothing in the chroot with the appropriate context, it can't load it.
I notice yours is flagged as 'unconfined_t', which smells a lot like running
the targeted policy. The design point for that policy is "constrain certain
daemons, but assume that users are in general trusted and know what they're
doing".
As such, it's assuming that if you're loading the policy from a chroot that
you know what you're doing and should be allowed to do so. If that doesn't
describe how you want things to work, maybe you should be running 'strict'
instead of 'targeted'?