load_policy in chroot question

Alexandre Oliva aoliva at redhat.com
Mon Feb 21 13:54:31 UTC 2005

On Feb 19, 2005, Russell Coker <russell at coker.com.au> wrote:

> SE Linux controls all aspects of system security, including global
> thing such as mounting file systems and directly writing to block
> devices.  If the chroot had a local policy as you suggest then which
> policy would control writing to the device node for the boot device?

Err...  No differently from the way the Xen solution you recommended
would?  Except, perhaps, for...

> http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=35600

which would require presumably yet another layer of MAC configuration
files.  Which means yet another level of setting up and overlapping
settings, not really different from one possible implementation for
chroot policies.

Alexandre Oliva             http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer   aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist  oliva@{lsd.ic.unicamp.br, gnu.org}

More information about the fedora-selinux-list mailing list