load_policy in chroot question
Alexandre Oliva
aoliva at redhat.com
Fri Jan 14 22:13:43 UTC 2005
On Jan 10, 2005, Colin Walters <walters at redhat.com> wrote:
> What is it specifically that you are doing with the chroot? Building
> RPMs?
In my case, what I used to do was to maintain two or more installs on
each box, each of them up-to-date, such that, in case I messed up with
the daily-use install (say rawhide), I could go back to a known-good
install (say FC3 or even FC2).
Ever since SELinux came into the picture, it became impossible to do
this properly.
What would be really nice would be if loading a policy into selinux
affected the behavior within that chroot (or rather within the
directory tree accessible from the root at the time of policy load),
while leaving the policy for the original root alone. I suppose this
would be tricky to implement, but I don't see that it would be
impossible nor insecure. You might of course need some policy tweaks
to enable a chroot dir to have a policy loaded inside it, that might
override the part of the original-root policy that applied to the
chroot, but nothing outside the chroot. Or something along these
lines.
Personally, I'd find this useful, although now I see that, in order to
keep a known-good alternate distro available, I'd better not be
installing updates on it, since the updates might sometimes make it,
erhm, ungood :-)
--
Alexandre Oliva http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org}
Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org}
More information about the fedora-selinux-list
mailing list