-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Smalley wrote: > On Thu, 2008-05-01 at 23:22 +1000, James Morris wrote: >> On Thu, 1 May 2008, Stephen Smalley wrote: >> >>> the build host with no way to define it). Or a mechanism for a >>> hierarchy of policies (complex, and not clear how to handle objects as >>> they may be visible to processes operating under more than one policy, >>> e.g. both inside and outside of the chroot). >> Indeed, this might be helped by encoding DOIs into labels but would likely >> add lots of complexity and performance overhead. AFAICT, entities in >> different policy namespaces would need to be totally separated (unless >> purely hierarchical). > > Pure isolation would be cleaner, but won't work in the buildsys example, > as there we have rpm (running outside the chroot) installing files into > the chroot tree and then launching scriptlets within the chroot, so we > have processes both outside and within the chroot acting on the files. > > In any event, of the available alternatives, I think the > set-unknown-label option may be the only practical one. So if you have > any comments on the code in the patch or if you want it split into two > stages, let me know. Otherwise, I'll re-spin it with Casey's suggested > change. > This is half the solution. Don't we need a new /selinux for inside the chroot, so that when selinux-policy rpm installs the policy, it lies and says the policy was loaded. Then at the end of the install , restorecon is running on the entire image to make sure the labels match the file_context in the chroot. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgbN68ACgkQrlYvE4MpobNNHwCg2nEftevFAgohBB7sWYe1olzk WjQAn2BKSqmNkEaiZZrhAJZBTp32PvdC =+3Br -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
