On Tue, Aug 6, 2024 at 12:56 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > With these changes applied, the following sequence works to > demonstrate creating a new SELinux namespace: > # Ask to unshare SELinux namespace on next exec > $ echo 1 > /sys/fs/selinux/unshare > # Unshare the mount and network namespaces too. > # This is required in order to create our own selinuxfs mount for the > # new namespace and to isolate our own SELinux netlink socket. > $ unshare -m -n > # Mount our own selinuxfs instance for our new SELinux namespace > $ mount -t selinuxfs none /sys/fs/selinux > # Load a policy into our SELinux namespace > $ load_policy > # Create a shell in the unconfined user/role/domain > $ runcon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /bin/bash > $ setenforce 1 > $ id > uid=0(root) gid=0(root) groups=0(root) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > NB This new namespace is NOT currently confined by its parent. And > there remain many unresolved issues. A couple of additional changes pushed, one to fix a bug in the inode handling and another to introduce support for revalidating superblock SIDs and updating them as needed for the namespace. With these changes, the selinux-testsuite filesystem-related tests appear to pass within a new SELinux namespace. Other tests vary - some pass, some fail, some hang.
