load_policy in chroot question
Russell Coker
russell at coker.com.au
Sat Feb 19 12:43:57 UTC 2005
On Saturday 15 January 2005 09:13, Alexandre Oliva <aoliva at redhat.com> wrote:
> In my case, what I used to do was to maintain two or more installs on
> each box, each of them up-to-date, such that, in case I messed up with
> the daily-use install (say rawhide), I could go back to a known-good
> install (say FC3 or even FC2).
The best thing to do would be to occasionally boot the older system to update
it.
> What would be really nice would be if loading a policy into selinux
> affected the behavior within that chroot (or rather within the
> directory tree accessible from the root at the time of policy load),
SE Linux controls all aspects of system security, including global thing such
as mounting file systems and directly writing to block devices. If the
chroot had a local policy as you suggest then which policy would control
writing to the device node for the boot device?
Something like Xen is what you need. The below URL about Xen and hypervisor
security may interest you.
http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=35600
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list