selinux breaks revisor
Rahul Sundaram
sundaram at fedoraproject.org
Tue Jan 22 18:17:51 UTC 2008
Simo Sorce wrote:
> On Tue, 2008-01-22 at 13:01 -0500, Yaakov Nemoy wrote:
>> On Jan 22, 2008 12:16 PM, Jeff Spaleta <jspaleta at gmail.com> wrote:
>>> Selinux when interacting with any chroot-like apparatus is still a
>>> problem. Perhaps its time to take stock of all the packages that rely
>>> on chroot-like behavior which are similarly affected by selinux, so
>>> that a common technical solution can be found and applied.
>> +1
>>
>> This is just a bug between SELinux and any chrooting program. It is
>> not a reason to fetch torches and pitchforks or to complain that
>> SELinux sucks, or any of that nonsense. Fixing the interaction between
>> SELinux and chroot is one of those things that can only get better the
>> more real world usage SELinux sees.
>
> It seem to me that SELinux can provide for the same (or better)
> "features" of chroot without actually requiring a chrooted environment.
> So shouldn't we simply provide targeted policies and not use chroot for
> known services ?
That wouldn't work. You shouldn't rely on SELinux but only take
advantage of it if it is enabled.
Rahul
More information about the fedora-devel-list
mailing list