On Feb 19, 2005, Russell Coker <russell@xxxxxxxxxxxx> wrote: > SE Linux controls all aspects of system security, including global > thing such as mounting file systems and directly writing to block > devices. If the chroot had a local policy as you suggest then which > policy would control writing to the device node for the boot device? Err... No differently from the way the Xen solution you recommended would? Except, perhaps, for... > http://sourceforge.net/mailarchive/forum.php?thread_id=6364737&forum_id=35600 which would require presumably yet another layer of MAC configuration files. Which means yet another level of setting up and overlapping settings, not really different from one possible implementation for chroot policies. -- Alexandre Oliva http://www.ic.unicamp.br/~oliva/ Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org} Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org}
