On Thu, Jan 24, 2008 at 05:48:20PM +0100, Till Maas wrote: > > The main problem is detecting and handling accesses that cross the > > policy boundary (non-chroot'd process attempts to access file within the > > directory, chroot'd process manages to break out of the chroot and > > attempts to access file outside of chroot). > > When there were different "namespaces" for the inner and outer selinux, then > the outer selinux could handle the access trough the chroot bondary using the > normal host namespace and the inner selinux would only handle the access > within the chroot, using its own namespace. What do you do if the outside namespace wants to label a file differently than the inner namespace? Create separate namespaces for the on-disk xattrs? -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
