On 02/05/2014 09:41 AM, Victor Porton wrote: > MCS also has a use in sandboxing: > > http://portonsoft.wordpress.com/2014/01/11/toward-robust-linux-sandbox/ > > By the way, it would help if you allow more than 1024 categories. > > It is a good idea to build a category from the process ID of the calling program. > > It can nevertheless be done with the current kernel assigning SEVERAL categories to MCS, having the list of categories determined by the process ID. But calculating several categories from one process ID is silly. > > If I'd take the decision, I would allow any (possibly 64 bit) number as a category in MCS. Thus we would just pass process ID to SELinux when programming the sandbox. > > P.S. Debian yet does not work well with enforcing SELinux. For this reason I have lied aside my project related with sandboxing for an indefinite time (until SELinux will work with my Debian). Number of categories is policy-defined, not hardcoded, but there are some current implementation aspects that make it more costly than it should be to greatly expand them. Besides, it is trivial to encode IDs as category sets and this is already demonstrated through a variety of existing implementations (at least openshift and Android, don't recall if svirt and/or sandbox do the same). _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
