The current fedora.us buildsystem and future directions

[Colin Walters]

On Fri, 2003-11-28 at 00:31, Enrico Scholz wrote:

> 1. SELinux can protect foreign processes. But is it possible to hide
>    them in /proc also?

It is not currently possible to hide them.  However, the entries in
/proc have the same type as the domain of the running process.  So if
you don't allow any operations on that type (including getattr), then
the only thing one can tell is that a process exists at that PID.

> 2. Is chroot(2) implemented in a safe manner? Or, can parent directories
>    of build-roots be protected with SELinux policies? Is a safe chroot(2)
>    required at all?

Using SELinux, a chroot doesn't provide any additional direct security. 
However, you may find it convenient to use a chroot in this instance so
that different sets of packages can be installed, etc.

> 3. What is the performance impact of the policy checking?

Minimal; IIRC the overhead was something like 1-2% for very system-call
intensive tasks, and negligible after that.

> 4. How can disk/memory usage restricted with SELinux? Would CKRM be an
>    option?

SELinux does not deal with resource restrictions.

> 5. Can special mount-operations (e.g. /proc filesystem) be allowed by
>    the policy, or does this require userspace helper also?

The mount system call is restricted, yes.

> 6. Setup of an SELinux policy seems to be very complicated. How possible
>    are holes in a setup?

Assuming that there are no bugs in the kernel, it is impossible to reach
sysadm_t (essentially equivalent to the SELinux "root") if the policy
doesn't very explicitly permit it.

I hope that answers your questions!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20031128/3e2d4980/attachment.sig>