On Jan 10, 2005, Colin Walters <walters@xxxxxxxxxx> wrote: > What is it specifically that you are doing with the chroot? Building > RPMs? In my case, what I used to do was to maintain two or more installs on each box, each of them up-to-date, such that, in case I messed up with the daily-use install (say rawhide), I could go back to a known-good install (say FC3 or even FC2). Ever since SELinux came into the picture, it became impossible to do this properly. What would be really nice would be if loading a policy into selinux affected the behavior within that chroot (or rather within the directory tree accessible from the root at the time of policy load), while leaving the policy for the original root alone. I suppose this would be tricky to implement, but I don't see that it would be impossible nor insecure. You might of course need some policy tweaks to enable a chroot dir to have a policy loaded inside it, that might override the part of the original-root policy that applied to the chroot, but nothing outside the chroot. Or something along these lines. Personally, I'd find this useful, although now I see that, in order to keep a known-good alternate distro available, I'd better not be installing updates on it, since the updates might sometimes make it, erhm, ungood :-) -- Alexandre Oliva http://www.ic.unicamp.br/~oliva/ Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org} Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org}
