The current fedora.us buildsystem and future directions
Bill Nottingham
notting at redhat.com
Mon Dec 1 20:00:51 UTC 2003
Enrico Scholz (enrico.scholz at informatik.tu-chemnitz.de) said:
> >> 1. SELinux can protect foreign processes. But is it possible to hide
> >> them in /proc also?
> >
> > If you cannot access it, why does it matter if it is visible?
>
> E.g. 'service xyz stop' in rpm-scriptlets may have an unwanted behavior
> when it sees 'xyz' processes in other "contexts".
In general, you'll be able to tell that there's a process at pid <foo>,
but not what process it is.
Note that scriplets in a build root very very very very very rarely
need to kick processes, if ever.
> >> 5. Can special mount-operations (e.g. /proc filesystem) be allowed by
> >> the policy, or does this require userspace helper also?
> >
> > Not sure what you're asking here. Mount can be allowed or disallowed
> > based on the policy.
>
> We have to allow *some* kinds of mount but forbid all other ones.
I would think that the buildroot filesystem setup & mounting would be
done outside of the chroot process.
Bill
More information about the fedora-devel-list
mailing list