[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: The current fedora.us buildsystem and future directions

From: Bill Nottingham <notting redhat com>
To: fedora-devel-list redhat com
Subject: Re: The current fedora.us buildsystem and future directions
Date: Mon, 1 Dec 2003 15:00:51 -0500

Enrico Scholz (enrico scholz informatik tu-chemnitz de) said: 
> >> 1. SELinux can protect foreign processes. But is it possible to hide
> >>    them in /proc also?
> >
> > If you cannot access it, why does it matter if it is visible?
> 
> E.g. 'service xyz stop' in rpm-scriptlets may have an unwanted behavior
> when it sees 'xyz' processes in other "contexts".

In general, you'll be able to tell that there's a process at pid <foo>,
but not what process it is.

Note that scriplets in a build root very very very very very rarely
need to kick processes, if ever.

> >> 5. Can special mount-operations (e.g. /proc filesystem) be allowed by
> >>    the policy, or does this require userspace helper also?
> >
> > Not sure what you're asking here. Mount can be allowed or disallowed
> > based on the policy.
> 
> We have to allow *some* kinds of mount but forbid all other ones.

I would think that the buildroot filesystem setup & mounting would be
done outside of the chroot process.

Bill

Follow-Ups:
- Re: The current fedora.us buildsystem and future directions
  - From: Thomas Vander Stichele

References:
- Re: The current fedora.us buildsystem and future directions
  - From: Enrico Scholz

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]