[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: selinux breaks revisor

From: Chuck Anderson <cra WPI EDU>
To: fedora-devel-list redhat com
Subject: Re: selinux breaks revisor
Date: Thu, 24 Jan 2008 12:05:08 -0500

On Thu, Jan 24, 2008 at 05:48:20PM +0100, Till Maas wrote:
> > The main problem is detecting and handling accesses that cross the
> > policy boundary (non-chroot'd process attempts to access file within the
> > directory, chroot'd process manages to break out of the chroot and
> > attempts to access file outside of chroot).
> 
> When there were different "namespaces" for the inner and outer selinux, then 
> the outer selinux could handle the access trough the chroot bondary using the 
> normal host namespace and the inner selinux would only handle the access 
> within the chroot, using its own namespace.

What do you do if the outside namespace wants to label a file 
differently than the inner namespace?  Create separate namespaces for 
the on-disk xattrs?

Follow-Ups:
- Re: selinux breaks revisor
  - From: Till Maas

References:
- selinux breaks revisor
  - From: Valent Turkovic
- Re: selinux breaks revisor
  - From: Till Maas
- Re: selinux breaks revisor
  - From: Stephen Smalley
- Re: selinux breaks revisor
  - From: Till Maas

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]