load_policy in chroot question

Russell Coker russell at coker.com.au
Sat Feb 19 12:43:57 UTC 2005

On Saturday 15 January 2005 09:13, Alexandre Oliva <aoliva at redhat.com> wrote:
> In my case, what I used to do was to maintain two or more installs on
> each box, each of them up-to-date, such that, in case I messed up with
> the daily-use install (say rawhide), I could go back to a known-good
> install (say FC3 or even FC2).

The best thing to do would be to occasionally boot the older system to update 

> What would be really nice would be if loading a policy into selinux
> affected the behavior within that chroot (or rather within the
> directory tree accessible from the root at the time of policy load),

SE Linux controls all aspects of system security, including global thing such 
as mounting file systems and directly writing to block devices.  If the 
chroot had a local policy as you suggest then which policy would control 
writing to the device node for the boot device?

Something like Xen is what you need.  The below URL about Xen and hypervisor 
security may interest you.


http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-selinux-list mailing list