selinux breaks revisor
Chuck Anderson
cra at WPI.EDU
Thu Jan 24 17:05:08 UTC 2008
On Thu, Jan 24, 2008 at 05:48:20PM +0100, Till Maas wrote:
> > The main problem is detecting and handling accesses that cross the
> > policy boundary (non-chroot'd process attempts to access file within the
> > directory, chroot'd process manages to break out of the chroot and
> > attempts to access file outside of chroot).
>
> When there were different "namespaces" for the inner and outer selinux, then
> the outer selinux could handle the access trough the chroot bondary using the
> normal host namespace and the inner selinux would only handle the access
> within the chroot, using its own namespace.
What do you do if the outside namespace wants to label a file
differently than the inner namespace? Create separate namespaces for
the on-disk xattrs?
More information about the devel
mailing list