Re: SELinux namespaces re-base
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hi,
I wonder if SELinux namespaces could be used for sandboxing,
specifically with systemd. When enabled for a service with a directive
(something like NamespacedSELinuxPolicy=path), PID1 could load a service
specific namespaced policy and apply it to the service as it starts.
These kind of policies could be extremely minimal and hardened when
optimized.
The implementation should avoid interfering with other sandboxing
activities and also avoid AVC pollution from them, so preferably there
should be a way to set up the namespacing and load the policy in a way
that these will only take effect at next execve() call, much like
setexeccon(). However, errors should be returned as early as possible
though so that the error can be associated with the loading. Also it
should be possible to enable SELinux namespacing independently to other
namespacing options as they are controlled by other directives.
Would this be an interesting use case? Would it need major design
changes? Systemd already loads a SELinux policy at boot so there's some
infrastructure in place.
-Topi
[Index of Archives]
[Selinux Refpolicy]
[Linux SGX]
[Fedora Users]
[Fedora Desktop]
[Yosemite Photos]
[Yosemite Camping]
[Yosemite Campsites]
[KDE Users]
[Gnome Users]
