On 11/01/2016 12:50 PM, Daniel J Walsh wrote: > I wrote a blog http://danwalsh.livejournal.com/75282.html which talks > about chrome sandbox and its attempt to change its parents oom_score_adj > value. Which is labeled unconfined_t, the question has come up on > Twitter to be able to change the label on just this object. > > I think we discussed this before, but how difficult would it be to > change individual file labels under /proc/self/? > In this case the solution would probably be to just associate a private type with the parent chrome process, but I know you think that is "impossible". Regardless I agree that it would be a nice feature. If it was available then i would probably use it to restrict access to /proc/self/mounts for my confined user shells if possible. > > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
