On Tue, 2008-01-22 at 13:14 -0500, Jesse Keating wrote: > On Tue, 22 Jan 2008 13:04:26 -0500 > Simo Sorce <ssorce@xxxxxxxxxx> wrote: > > > It seem to me that SELinux can provide for the same (or better) > > "features" of chroot without actually requiring a chrooted > > environment. So shouldn't we simply provide targeted policies and not > > use chroot for known services ? > > That's not the point of many chroot usages. Frequently chroots are > used to gain access to content from a different release or arch than > what you have installed. EG we use RHEL5 to create chroots of f9 and > build packages within that chroot using F9 content. Likewise we do a > pure i386 package set on x86_64 to accomplish our i386 build. These > types of usages cannot be easily replaced with an selinux policy. I am sorry, I was thinking only about the security usage of chroots. I have been using chroots for "mock like" usage myself to release samba packages for older Debian releases for many years, should have just been thinking harder :-) What Yakoov wrote in the other emails makes a lot of sense indeed. Simo. -- | Simo S Sorce | | Sr.Soft.Eng. | | Red Hat, Inc | | New York, NY | -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
