selinux breaks revisor
Till Maas
opensource at till.name
Thu Jan 24 16:11:59 UTC 2008
On Thu January 24 2008, Daniel J Walsh wrote:
> machine. For example if you are building a Fedora 7 livecd on a Fedora
> 8 host machine, when the new selinux-policy package gets installed the
> Fedora 7 policy will load and replace the Fedora 8 policy. This will
> invalidate any contexts that existed in Fedora 8 and not in Fedora 7
> causing them to become unlabeled_t. If this happens to a process, the
> process usually goes wild. We (SELinux engineering) is working on some
> solutions, but don't have a good one now.
>
> Virtual machines? Getting the chroot to run with a different kernel.
> Faking out /selinux in chroot to do nothing on policy load?
> Trying to stop Transitions?
Imho it would be nice if it was possible to mark (label) a directory from the
outside to be the root of the chroot. Then everything within the chroot
directory should have a label for the outside selinux and a label for the
inside selinux. The selinus from the outside should allow everything within
the chroot to to whatever it wants within the chroot (this could be configure
within the policy), but should restrict access to everything outside the
chroot. The selinux within the chroot then should act like there is only the
inside policy and enforce it like it was the only one.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20080124/5c92fdfe/attachment-0002.bin
More information about the devel
mailing list