On Thu, 2008-05-01 at 23:22 +1000, James Morris wrote: > On Thu, 1 May 2008, Stephen Smalley wrote: > > > the build host with no way to define it). Or a mechanism for a > > hierarchy of policies (complex, and not clear how to handle objects as > > they may be visible to processes operating under more than one policy, > > e.g. both inside and outside of the chroot). > > Indeed, this might be helped by encoding DOIs into labels but would likely > add lots of complexity and performance overhead. AFAICT, entities in > different policy namespaces would need to be totally separated (unless > purely hierarchical). Pure isolation would be cleaner, but won't work in the buildsys example, as there we have rpm (running outside the chroot) installing files into the chroot tree and then launching scriptlets within the chroot, so we have processes both outside and within the chroot acting on the files. In any event, of the available alternatives, I think the set-unknown-label option may be the only practical one. So if you have any comments on the code in the patch or if you want it split into two stages, let me know. Otherwise, I'll re-spin it with Casey's suggested change. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
