[RFC] Livecd-creator and selinux, we can play nice
Bill Nottingham
notting at redhat.com
Thu May 29 15:01:17 UTC 2008
Daniel J Walsh (dwalsh at redhat.com) said:
> Well I think we need to do a couple of these to figure out the common
> requirements.
>
> I envision mock to be quite different then livecd. I think we need to
> full the mock chroot to think SELinux is disabled and to do no labeling
> in the chroot. This would allow us to confine the mock process to be
> able to write to the chroot and label the chroot mock_rw_t. We could
> then use SELinux to prevent mock environments from breaking out of the
> chroot, and stop mock environments from doing evil network things within
> the chroot.
>
> In livecd we need to be able to put down labels that the host machine
> does not understand.
The problem is that mock can be used to do non-build things. (For example,
creating the anaconda install images.)
Bill
More information about the fedora-selinux-list
mailing list