load_policy in chroot question
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Sun Jan 9 06:20:22 UTC 2005
On Sat, 08 Jan 2005 21:55:07 PST, Bob Kashani said:
> When I install the selinux-policy-targeted rpm in a chroot it seems that
> load_policy is executed and loads the policy that's installed in the
> chroot into the running kernel (I'm assuming via %post). Should
> installing the selinux-policy-targeted rpm in a chroot allow this to
> happen? What if you're installing a policy into the chroot that's
> different than the one you have installed on your system? Is there a way
> to not allow load_policy to execute in a chroot?
In general, there's not much way to distinguish "in a chroot". The "SELinux Way"
to address this is to make sure that all files on the system that can legitimately
be loaded as policy are flagged with a context that allows loading them. If
there's nothing in the chroot with the appropriate context, it can't load it.
I notice yours is flagged as 'unconfined_t', which smells a lot like running
the targeted policy. The design point for that policy is "constrain certain
daemons, but assume that users are in general trusted and know what they're doing".
As such, it's assuming that if you're loading the policy from a chroot that
you know what you're doing and should be allowed to do so. If that doesn't
describe how you want things to work, maybe you should be running 'strict'
instead of 'targeted'?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050109/3c7e980a/attachment.sig>
More information about the fedora-selinux-list
mailing list