[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: The current fedora.us buildsystem and future directions



Enrico Scholz (enrico scholz informatik tu-chemnitz de) said: 
> >> 1. SELinux can protect foreign processes. But is it possible to hide
> >>    them in /proc also?
> >
> > If you cannot access it, why does it matter if it is visible?
> 
> E.g. 'service xyz stop' in rpm-scriptlets may have an unwanted behavior
> when it sees 'xyz' processes in other "contexts".

In general, you'll be able to tell that there's a process at pid <foo>,
but not what process it is.

Note that scriplets in a build root very very very very very rarely
need to kick processes, if ever.

> >> 5. Can special mount-operations (e.g. /proc filesystem) be allowed by
> >>    the policy, or does this require userspace helper also?
> >
> > Not sure what you're asking here. Mount can be allowed or disallowed
> > based on the policy.
> 
> We have to allow *some* kinds of mount but forbid all other ones.

I would think that the buildroot filesystem setup & mounting would be
done outside of the chroot process.

Bill




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]