But our people have limited time to work on it, it has been back
burner-ed since last summer.
https://bugzilla.redhat.com/show_bug.cgi?id=1236256
Basically User Namespace introduces a new concept of Namespaced
capabilities. SELinux currently blocks the use of all capabilities
and does not differentiate. If someone is looking to cut their teeth on
Kernel and Security work, I think it would be a good project
to try to differentiate in policy and the kernel between the two
Capabilities.
The current problem I am seeing is with a confined user. staff_t does
not have any capabilities, but when he runs Chrome, it uses
usernamespace to isolate the chrome_sandbox and protect the host. Non
privilege users on Fedora are allowed to setup User Namespaces
but some of the activity of setting up the User Namespace requires
Namespaced SYS_ADMIN. Since SELinux blocks SYS_ADMIN for staff_t
I can not run Chrome with out temporarily setenforce 0, or adding
SYS_ADMIN to staff_t. Neither is an attractive solution.
Wearing my best Tom Sawyer hat, white washing this fence would be fun.
Anyone want to take a shot?
Dan
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
