On Saturday 15 January 2005 09:13, Alexandre Oliva <aoliva@xxxxxxxxxx> wrote: > In my case, what I used to do was to maintain two or more installs on > each box, each of them up-to-date, such that, in case I messed up with > the daily-use install (say rawhide), I could go back to a known-good > install (say FC3 or even FC2). The best thing to do would be to occasionally boot the older system to update it. > What would be really nice would be if loading a policy into selinux > affected the behavior within that chroot (or rather within the > directory tree accessible from the root at the time of policy load), SE Linux controls all aspects of system security, including global thing such as mounting file systems and directly writing to block devices. If the chroot had a local policy as you suggest then which policy would control writing to the device node for the boot device? Something like Xen is what you need. The below URL about Xen and hypervisor security may interest you. http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=35600 -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
