On Sat, 08 Jan 2005 21:55:07 PST, Bob Kashani said: > When I install the selinux-policy-targeted rpm in a chroot it seems that > load_policy is executed and loads the policy that's installed in the > chroot into the running kernel (I'm assuming via %post). Should > installing the selinux-policy-targeted rpm in a chroot allow this to > happen? What if you're installing a policy into the chroot that's > different than the one you have installed on your system? Is there a way > to not allow load_policy to execute in a chroot? In general, there's not much way to distinguish "in a chroot". The "SELinux Way" to address this is to make sure that all files on the system that can legitimately be loaded as policy are flagged with a context that allows loading them. If there's nothing in the chroot with the appropriate context, it can't load it. I notice yours is flagged as 'unconfined_t', which smells a lot like running the targeted policy. The design point for that policy is "constrain certain daemons, but assume that users are in general trusted and know what they're doing". As such, it's assuming that if you're loading the policy from a chroot that you know what you're doing and should be allowed to do so. If that doesn't describe how you want things to work, maybe you should be running 'strict' instead of 'targeted'?
Attachment:
pgpLrMJEsdSg0.pgp
Description: PGP signature
