On Wed, 2008-04-16 at 23:23 -0400, Bill Nottingham wrote: > James Morris (jmorris@xxxxxxxxx) said: > > > You cannot create files in a chroot of a context not known by the > > > host policy. This means that if your host is running RHEL 5, you are > > > unable to compose any trees/images/livecds with SELinux enabled for > > > later releases. > > > > Ok, that's what I suspected. > > > > One of the possible plans for this is to allow a process to run in a > > separate policy namespace, and probably also utilize namespace support in > > general. > > > > This is non-trivial and needs more analysis. > > Incidentally, this is also one of the blockers for policy-in-packages, > rather than a monolithic one. I assume you mean setting down unknown file labels rather than per-namespace or per-chroot policy support. I think they are related but different. The former is required if you always plan to install the files _before_ loading the policy. The latter is required primarily for getting any scriptlets to run in the right security contexts so that any files they create are labeled appropriately within the chroot. Also, I wanted to emphasize that chroot is different than unsharing the filesystem namespace, and per-chroot policy is not the same thing as per-namespace policy. I'd expect though that it would actually be a per-process policy mechanism, with most processes sharing the same policy but programs like rpm being able to unshare policy from their parent and then load a private policy to be applied only to their descendants. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
